Windows Analysis Report
U8uFcjIjAR.exe

Overview

General Information

Sample name:	U8uFcjIjAR.exe renamed because original name is a hash value
Original sample name:	91def0d39df0644ccaf67445d196c88e.exe
Analysis ID:	1435256
MD5:	91def0d39df0644ccaf67445d196c88e
SHA1:	5eb6774cdeb6b36184be7ead4c78761999aaceb4
SHA256:	ad1f57993c2137cbdf93bfa1839a4f06e46424ef57803a08dfd4495c7be0b3de
Tags:	32exetrojan
Infos:

Detection

LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected Glupteba

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates an undocumented autostart registry key

Disables UAC (registry)

Found Tor onion address

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: U8uFcjIjAR.exe

Avira: detected

Found malware configuration

Source: 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["5.252.22.216:44356"], "Bot Id": "2608kleyvsnet", "Authorization Header": "5fbb2db54ba05b2223e91d7545647809"}
Source: 8.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "affordcharmcropwo.shop"], "Build id": "LGNDR1--ketamine"}
Source: 22.2.NewB.exe.f0000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\2H2iULi73jPqktFJ6OepOola.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\2H2iULi73jPqktFJ6OepOola.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\2N7xiUcqYcPt4XwwaXd6aBnt.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\2N7xiUcqYcPt4XwwaXd6aBnt.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\2xEk595iCLChQEIkapYMtg4d.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\2xEk595iCLChQEIkapYMtg4d.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\38jnFT91OuswY7e76EHimubt.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\38jnFT91OuswY7e76EHimubt.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\5fqYYoyWfgcx2hRWq28g7nNF.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\5fqYYoyWfgcx2hRWq28g7nNF.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\5j4vJucQDJ5dRUHs8KgbU6zE.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\5j4vJucQDJ5dRUHs8KgbU6zE.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\5mXUxo0CobvbEjsxN58lv8JE.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\5mXUxo0CobvbEjsxN58lv8JE.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\6NJQIAQREgE8pnH0Tc3vNghh.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\6NJQIAQREgE8pnH0Tc3vNghh.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	Virustotal: Detection: 21%	Perma Link

Multi AV Scanner detection for submitted file

Source: U8uFcjIjAR.exe	Virustotal: Detection: 56%			Perma Link
Source: U8uFcjIjAR.exe	ReversingLabs: Detection: 52%

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Machine Learning detection for sample

Source: U8uFcjIjAR.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ging
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: n\|
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: login:
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: pillowbrocccolipe.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: communicationgenerwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: diskretainvigorousiw.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: affordcharmcropwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: dismissalcylinderhostw.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: enthusiasimtitleow.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: worryfillvolcawoi.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: cleartotalfisherwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: affordcharmcropwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: LGNDR1--ketamine
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: 185.172.128.19
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /ghsdh39s/index.php
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: S-%lu-
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: cd1f156d67
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Utsysc.exe
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SCHTASKS
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /TR "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Startup
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: rundll32
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /Delete /TN "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Programs
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: %USERPROFILE%
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: http://
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: https://
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /Plugins/
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: &unit=
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: shell32.dll
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: kernel32.dll
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ProgramData\
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: AVAST Software
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Kaspersky Lab
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Panda Security
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Doctor Web
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: 360TotalSecurity
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Bitdefender
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Norton
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Sophos
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Comodo
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: WinDefender
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: 0123456789
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ------
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ?scr=1
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ComputerName
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: -unicode-
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: VideoID
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ProductName
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: CurrentBuild
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: " /P "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: CACLS "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: :R" /E
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: :F" /E
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: &&Exit
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: rundll32.exe
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: "taskkill /f /im "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: " && timeout 1 && del
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: && Exit"
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: " && ren
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Powershell.exe
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: shutdown -s -t 0
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /w']fC
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: vw(hF=

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004162C7 CryptUnprotectData,	8_2_004162C7
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233BE70 CryptUnprotectData,	23_2_0233BE70
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233C3D3 CryptUnprotectData,	23_2_0233C3D3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 4764, type: MEMORYSTR

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Unpacked PE file: 24.2.ISetup8.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Unpacked PE file: 32.2.u1eg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Unpacked PE file: 47.2.CpqmTFb0JovJ1ZbssYgoEukK.exe.400000.0.unpack
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Unpacked PE file: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack

Uses 32bit PE files

Source: U8uFcjIjAR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: mozglue.pdbP source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: nss3.pdb@ source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: mozglue.pdb source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: {!C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: C:\1ej6jx007\Body.pdb source: alexxxxxxxx.exe, 00000032.00000000.2565956379.000000000030B000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jfesawdr.exe, 00000021.00000000.2355046369.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, jfesawdr.exe, 00000021.00000003.2364643272.0000000006E46000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000003.2367292935.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000002.2550287078.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, work.exe, 0000002A.00000002.5607567766.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp, work.exe, 0000002A.00000000.2382750085.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: Loader.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Q!C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: fMC:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Directory queried: number of queries: 1399

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012DB5E FindFirstFileExW,	22_2_0012DB5E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041D8B1 FindFirstFileExA,	24_2_0041D8B1
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BADB18 FindFirstFileExA,	24_2_01BADB18

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi]	8_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	8_2_004162C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	8_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	8_2_00409BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc edi	8_2_00402CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	8_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	8_2_00411007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_00424038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+10h]	8_2_004210E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	8_2_004110A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	8_2_004231D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ecx	8_2_00414190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+54h]	8_2_004171A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+000000BCh]	8_2_0041B230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	8_2_004122E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_004232E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	8_2_004183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_0042E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_004223FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	8_2_00423381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	8_2_00414397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	8_2_00421418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	8_2_0042342A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_00422328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h	8_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_00402620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	8_2_0041D634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+74h]	8_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	8_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004226A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004226A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_00421770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+08h], edx	8_2_0041D878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00421FEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	8_2_0041F94E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	8_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esi+000000D4h]	8_2_00420A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	8_2_00433A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	8_2_0041DBCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	8_2_00433A95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	8_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	8_2_0040DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_0041FFD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00421FF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_00423FF3
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	23_2_023A5AA0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 4x nop then jmp 023A5481h	23_2_023A51C0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	23_2_023A58F7

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 193.233.132.56 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor	URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor	URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor	URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor	URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor	IPs: 185.172.128.19
Source: Malware configuration extractor	URLs: 5.252.22.216:44356

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: xxxvQ222Muur7IAhJFO2josf.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: qxBJ9q7JFSujxnUh8qc7NeOo.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: KxxYgtSXXYBdt8WEqc8cz7ko.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: SFikDJwNMJxgFTwKZA4lZsP0.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: edp3oPwo77sX93prOjhnnm7f.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: O9XmeM92fKONDftmgyRaFliB.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: wwnqRXQsqOwsfHiXwyXHy36k.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: TluJPFR20Cizqk9QCeZ4f6Wn.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: valG8sjMrHqezgFOb9xfgsjM.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: KImI36TC1Y7rGZ5UkRKOyITD.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: hBG4JWy9UHJZLtiCZWmjck9Q.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: jbLETzz7C0GBJ2a9yv4MjoYb.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: hMGf7FJgQbefAorbqBxMGDZP.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: IFHfRfJdw1mqQCHZWR8f3Vkv.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: Ov5ij7qPcC9pQIWxjxMSsuFg.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: TOVomg3JhzM1hDeL6OH8S3j4.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: ohTgVe16YIJposWY9rBcMWQt.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: jvyyUuPRRkaqGCtIkwRw4Z1Q.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: soJYu58T815PAMbVZEi3FqAj.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: pkTvRQbqxGJDEvP7qn2hNX7G.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: IuSz2b3gScKM1g5aUyC8xIoo.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: maw0QWL9For4QfobCLCbl1L1.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: dLUPpAAtiEoWEQUBQv1GxQM3.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: tOnhkleN9bZiXdFSaCNnUUUo.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: SPYvPkIgJ1TpTR0wYPcX8Kzy.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: fsVNTOPIZjvyyKLUfdVpOR4A.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: iVaytSUSPGL5LKFxhJGT9AxZ.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: CP9gGCLZql6Z3VnxUgaovlrP.exe.36.dr

Found Tor onion address

Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: .P19152c2014093e313d075d110f3d082e50http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7SELECT Name FROM Win32_ProcessorIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6SESSIONNAME=ConsoleUSERDOMAIN=user-PCwindir=C:\WindowsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntel
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D10A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:C:\Windowshttps://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7FirstInstallDateS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7SeDebugPrivilege
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Yara detected Generic Downloader

Source: Yara match	File source: 29.2.file300un.exe.1f09e9e81c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.file300un.exe.1f09e9eac30.2.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_000FA0F9 SetCurrentDirectoryA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,

22_2_000FA0F9

Source: u1eg.0.exe, 00000020.00000002.5885291735.0000000001DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll2
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll&
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dllF&y
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dlld
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll)
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll:
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dllZ&e
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php(
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php-fulluser-l1-1-0F
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php.
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php4997f6a61d8485d9c328da3e7b57-release85746faab393cc2fce814
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php9
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php:
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php;
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpJ
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpK
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php_
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpc
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpd
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpg
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpk
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpm
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpv
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpw
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpx
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003446000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000333B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003216000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exep
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003503000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/thterh.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/thterh.exe4k2
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/
Source: rundll32.exe, 00000006.00000003.5462964818.00000162366D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.5624870860.00000162366D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1
Source: rundll32.exe, 00000006.00000002.5624870860.00000162366D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1(
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1es
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1s
Source: rundll32.exe, 00000006.00000003.5462964818.00000162366D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.5624870860.00000162366D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpRXS
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D10A000.00000004.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionS-1-5-21-2246122658-3693405117-
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i5
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/73eed764cc59dcb.php
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/73eed764cc59dcb.phpK
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/73eed764cc59dcb.phps
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dll
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dllCG
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dllUGy
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dlled764cc59dcb.php
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dlll
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dllqG
Source: RegAsm.exe, 0000001C.00000002.4714052350.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4714052350.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php0
Source: RegAsm.exe, 0000001C.00000002.4714052350.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php8cInm6YOSJ.exe
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php?
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php_
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/lick-to-Run
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/ows
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000013.00000002.4628223340.00000220AD878000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2567305333.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000013.00000003.2413038443.00000220AD8EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 00000013.00000002.4629121137.00000220AE64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2765663536.00000220AE649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000013.00000002.4629121137.00000220AE64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2224062977.00000220AE643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2765663536.00000220AE649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_300d
Source: svchost.exe, 00000013.00000002.4629016546.00000220AE610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_en
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.g
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: InstallUtil.exe, 00000024.00000002.6796207764.00000000077BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: svchost.exe, 00000013.00000003.4619932120.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621596622.00000220AE16D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasiUTF-8.o
Source: svchost.exe, 00000013.00000003.4621648469.00000220AE17A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622428272.00000220AE17C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/o
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-2otificationses
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: svchost.exe, 00000013.00000003.2652696986.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wX
Source: svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4617384128.00000220AD93D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621596622.00000220AE16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622428272.00000220AE17C000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000013.00000003.2378467071.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$
Source: svchost.exe, 00000013.00000003.4619774350.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd/01/oa
Source: svchost.exe, 00000013.00000003.2462299099.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266693606.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364487706.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364276148.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2409834425.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364449960.00000220AE109000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578070023.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621566741.00000220AE103000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2378467071.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2577996114.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2415234481.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578028401.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2403266723.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2566163243.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2410885025.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266967134.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2462203181.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2413674419.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2282837169.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2334206708.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000013.00000003.2281639286.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000013.00000003.2652696986.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcurit
Source: svchost.exe, 00000013.00000003.2192541064.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdfh
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdr
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdrithm
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621596622.00000220AE16D000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000013.00000003.2364449960.00000220AE109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd/www
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd://P
Source: svchost.exe, 00000013.00000003.2462299099.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266693606.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364487706.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364276148.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2409834425.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364449960.00000220AE109000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578070023.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621566741.00000220AE103000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2378467071.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2577996114.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2415234481.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578028401.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2403266723.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2566163243.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2410885025.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266967134.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2462203181.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2413674419.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2282837169.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2334206708.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000013.00000003.2281639286.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000013.00000003.2281639286.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAB
Source: svchost.exe, 00000013.00000003.4619774350.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdcurit
Source: svchost.exe, 00000013.00000003.2652696986.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619774350.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdervic
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdithm
Source: svchost.exe, 00000013.00000003.2192541064.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: svchost.exe, 00000013.00000002.4628649394.00000220AD8E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4629089698.00000220AE641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2765663536.00000220AE649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003583000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003446000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.com
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: powershell.exe, 00000014.00000002.5284850816.0000023D12EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: svchost.exe, 00000013.00000002.4629048958.00000220AE613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4629218503.00000220AE661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000345C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003294000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000330C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003187000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.00000000026EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pedomane.com
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.00000000026EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pedomane.com/file.exe
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: jok.exe, 00000017.00000002.5945962075.000000000072E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003372000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000333B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://realdeepai.org
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9$
Source: svchost.exe, 00000013.00000003.4620631095.00000220AE149000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621914928.00000220AE14C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620577958.00000220AE145000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622234486.00000220AE14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620693805.00000220AE14A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620548829.00000220AE142000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622076548.00000220AE16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy502
Source: svchost.exe, 00000013.00000003.4620987072.00000220AE119000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620846448.00000220AE118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyce
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672780624.00000220AE199000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc4
Source: svchost.exe, 00000013.00000003.4621967475.00000220AE143000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620548829.00000220AE142000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scToken
Source: svchost.exe, 00000013.00000003.4621967475.00000220AE143000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620548829.00000220AE142000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scbQ=
Source: svchost.exe, 00000013.00000003.4620987072.00000220AE119000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620846448.00000220AE118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sck=
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scult
Source: svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622076548.00000220AE16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628649394.00000220AD8E7000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622076548.00000220AE16F000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11621000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: jok.exe, 00000017.00000002.6178407982.00000000036FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15V
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002729000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.00000000026C7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002700000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6092687802.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000345C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003187000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179187786.00000220AE157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: RegAsm.exe, 00000008.00000002.2417012660.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apic
Source: RegAsm.exe, 00000008.00000002.2417012660.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apieJDz
Source: RegAsm.exe, 00000008.00000002.2417012660.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiwy
Source: RegAsm.exe, 00000008.00000002.2375987946.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12C4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000014.00000002.5284850816.0000023D12C4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000000.2187097797.0000000000222000.00000002.00000001.01000000.0000000F.sdmp, alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000031F000.00000004.00000001.01000000.00000020.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit?
Source: podaw.exe, 00000030.00000003.3027552501.000000000394C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: podaw.exe, 00000030.00000003.3027552501.000000000394C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: podaw.exe, 00000030.00000003.3027552501.000000000394C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000014.00000002.5410538624.0000023D29A25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mi
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: podaw.exe, 00000030.00000003.3269853341.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4371518062.000000000141D000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4393351960.000000000141D000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4392954715.000000000136C000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4394012444.0000000003910000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3269500078.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4354646659.000000000141D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/
Source: podaw.exe, 00000030.00000002.4394012444.0000000003910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/M
Source: podaw.exe, 00000030.00000002.4394012444.0000000003910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/T
Source: podaw.exe, 00000030.00000003.4354741853.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3269853341.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3889259413.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4393166624.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3889639123.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3709110233.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3709244682.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4392954715.000000000136C000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4350856050.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3269500078.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4371620305.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3779272175.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3779087424.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/api
Source: podaw.exe, 00000030.00000002.4392954715.000000000136C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/apihort
Source: podaw.exe, 00000030.00000003.3779272175.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3779087424.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/apir
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1lyxz
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.5998303629.0000000000883000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6805197306.00000000070D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096
Source: jok.exe, 00000017.00000002.5998303629.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096.
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096E%
Source: jok.exe, 00000017.00000002.6618718835.000000000617D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096T
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/privacy/
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/rules/
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com/7c01bdea43026295bd9dcdbc2f93c432/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comH
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHj
Source: NewB.exe, 0000000F.00000003.2449661997.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 0000000F.00000003.2415956432.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 0000000F.00000003.2415956432.0000000000A84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/7c01bdea43026295bd9dcdbc2f93c432/4767d2e713f2021e8fe856e3ea638b58.exe
Source: NewB.exe, 0000000F.00000003.2449661997.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/7c01bdea43026295bd9dcdbc2f93c432/4767d2e713f2021e8fe856e3ea638b58.exe$
Source: NewB.exe, 0000000F.00000003.2449661997.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 0000000F.00000003.2415956432.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/9dcdbc2f93c432/4767d2e713f2021e8fe856e3ea638b58.exe
Source: svchost.exe, 00000013.00000002.4629284784.00000220AE67F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfsrf
Source: svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000013.00000003.2673195541.00000220AD837000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628124463.00000220AD83A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2720427105.00000220AD839000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf3457
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628401468.00000220AD8A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000013.00000002.4629048958.00000220AE613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfssuer
Source: svchost.exe, 00000013.00000003.2673195541.00000220AD837000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628124463.00000220AD83A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2720427105.00000220AD839000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000013.00000003.2364134253.00000220AE15A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DiK70mt8cph
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805023
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806034
Source: svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806041
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179187786.00000220AE157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179000146.00000220AE15A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf3
Source: svchost.exe, 00000013.00000003.2224062977.00000220AE643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srfe
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628649394.00000220AD8E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000013.00000002.4629284784.00000220AE67F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfityCRL
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srfm
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: powershell.exe, 00000014.00000002.5284850816.0000023D12EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003147000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/E0rY26ni
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop/
Source: RegAsm.exe, 0000002C.00000002.4027928722.0000000000856000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop/api
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop/apis
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop:443/api
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f3
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b5
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d7
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000333B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003216000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000315B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe4k2
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://statsexplorer.org
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://statsexplorer.orghttps://statsexplorer.org
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/about/dHh0
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000310C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E9A5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5770611236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/redirect-

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0042AFE0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_0042AFE0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0042AFE0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_0042AFE0

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0042B190 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

8_2_0042B190

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6FC7.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6FE7.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.1.zip entropy: 7.99827140742	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\U9sERAOeNr3mgv0e80M6A4fC.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ndb0fcrEXTitnmEiCwbBu17x.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\YmRHdVjMjWfgOGnmlpMeFk3W.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ip8wtphk0sq5W1G9S0yXoRhB.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OcXMLXs1I7uPacTR3wj6FpuO.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bR4U6XYd9TFO6UTaUKN5r2h6.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\56MSgzGjt7DCxuJwG3rlLC0n.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kqWcoPWge2lBBTisp4lafa9T.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\anYrNMf7BkK2nQqzIYyWir6K.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\cPV2bRPfjMzAHIg1WdlvEFuz.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kJQmHVN1ymzFf6h1SAx9MRkd.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\LqEGPBEKUCUhBDJKv5mRRgZQ.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CW6I446Upi6pRJwdKk7DKik9.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\9MxwoVYUchzxPb9DWfXpxtIo.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hi1aLhmXAS9IuYfXRpFgbtIN.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NjV6zIGZdVX0WeB8KyD9vVQX.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yqAccZXldjURDvuE02Wzx66b.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ASNAP1v7gSBWUV4M24VeAq7L.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\H5yNpx42S8IZUDziNao5NoiZ.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CzkueZo2uibKMWVlxXuuuYuf.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2Tou5zGna3sRH11GciMBbZgS.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dr1rk0EffiWHIOEoIM0y02vz.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\E2J4txsMwXF0FC1lSl4LeyeC.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\U9TaXZF4Dtll7HWLvlflgS1k.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\c5Evvv7PYHJO6LpEaGq866pm.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\a61Zt3kxeVox4lwkSb04Exqv.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KD4MGqBmnl5yi0hAsXLSbdSy.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xyMqBBjqvGfUL37YvYIuomy7.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xiBUq473AMEj3R5tdfFowrHB.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\yWV9WwJcUosMiP7cfkSd3H82.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\mOkLcaTZpbuoAYzmfUDWaVew.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\QeUXLRBK3hnXmDh6BxEoxRr1.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ZdJVnsAsGFXjRLisReQL9qeg.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OQgcqQkt9mj3bwxHnZIa4s8D.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2fZdJDwSJsgUfWXz4vfSCNc2.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\y37mD1IuO45o81MbxoPzuNXd.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dPOp3jG6cTg3qN9wSAMJoEyW.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ME586VT0sUE29Jo7X6zYQs1O.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\iPlB1qbFQFH1ftEutDuOvKvu.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qk0x06I6JhykUr9FfyCqWusc.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\UiQzdb0JuVAuKhgIqFvM40tD.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NrlBY7PHizkvtumpXDF2ZwbO.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.1.zip entropy: 7.99827140742	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000018.00000002.3673494333.0000000001B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.3745565486.0000000001C9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.5887240245.0000000001DDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002F.00000002.3796487217.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002F.00000002.3796251216.0000000001D0B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

.NET source code contains very large array initializations

Source: swiiiii[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiii[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088
Source: swiiii.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088

PE file contains section with special chars

Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: U8uFcjIjAR.exe	Static PE information: section name: .idata
Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name: .idata
Source: explorha.exe.0.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004371C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004371C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004381B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004322C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004322C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004372F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004372F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00415300 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00415300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00438470 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00438470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004344DB NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004344DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437550 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00437550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004376C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004376C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004166A7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004166A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041B6AF NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004177E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004177E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00415B15 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00415B15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00419C00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00419C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423C16 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00423C16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00433CF7 NtOpenSection,	8_2_00433CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00416C80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00416C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00434D0A NtMapViewOfSection,	8_2_00434D0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00436E10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041EFD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00436FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00436FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004180C5 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004180C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00413145 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00413145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00430450 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00430450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437420 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00437420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00417670 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00417670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432600 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004136F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004136F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004328F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00421890 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004379E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432A50 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041BA3C NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041BA3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432B60 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00418B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00418B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DBF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432C90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437D70 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432DA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00419E30 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00416E36 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00416E36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423FF3 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00423FF3
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010CC87 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	22_2_0010CC87

Creates files inside the system directory

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File created: C:\Windows\Tasks\explorha.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Code function: 5_2_02EC0E8F	5_2_02EC0E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401740	8_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00404AB0	8_2_00404AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041EFD0	8_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042404C	8_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004301F0	8_2_004301F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004051B0	8_2_004051B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00403350	8_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040A300	8_2_0040A300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00411410	8_2_00411410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004064F0	8_2_004064F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00403740	8_2_00403740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00405700	8_2_00405700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004379E0	8_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00406BF0	8_2_00406BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00420BFA	8_2_00420BFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437D70	8_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DDB7	8_2_0041DDB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423F4D	8_2_00423F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00407FE0	8_2_00407FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423FF3	8_2_00423FF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FF8487921FA	20_2_00007FF8487921FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FF848790E35	20_2_00007FF848790E35
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_001330F8	22_2_001330F8
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00116283	22_2_00116283
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00138640	22_2_00138640
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_001116F3	22_2_001116F3
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_001376EB	22_2_001376EB
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0013780B	22_2_0013780B
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00132C60	22_2_00132C60
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00113EE2	22_2_00113EE2
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00127F10	22_2_00127F10
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00110F04	22_2_00110F04
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00136F99	22_2_00136F99
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0083DC74	23_2_0083DC74
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_02336268	23_2_02336268
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233A018	23_2_0233A018
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_02332041	23_2_02332041
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023396F8	23_2_023396F8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233F6E0	23_2_0233F6E0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233B518	23_2_0233B518
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_02335DC0	23_2_02335DC0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233E829	23_2_0233E829
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233A00B	23_2_0233A00B
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233DF10	23_2_0233DF10
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233B508	23_2_0233B508
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A5AA0	23_2_023A5AA0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A834C	23_2_023A834C
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2900	23_2_023A2900
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A7940	23_2_023A7940
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A51C0	23_2_023A51C0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A3E38	23_2_023A3E38
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1E28	23_2_023A1E28
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1650	23_2_023A1650
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A0728	23_2_023A0728
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023AC700	23_2_023AC700
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A3430	23_2_023A3430
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A6C10	23_2_023A6C10
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2480	23_2_023A2480
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A4590	23_2_023A4590
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A5A9B	23_2_023A5A9B
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A28F3	23_2_023A28F3
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A61E0	23_2_023A61E0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1E19	23_2_023A1E19
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1640	23_2_023A1640
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A0719	23_2_023A0719
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2FF8	23_2_023A2FF8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A342B	23_2_023A342B
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A0D80	23_2_023A0D80
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B16948	23_2_04B16948
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B17C20	23_2_04B17C20
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B10006	23_2_04B10006
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B10040	23_2_04B10040
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B17C10	23_2_04B17C10
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D267D8	23_2_05D267D8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D2A3E8	23_2_05D2A3E8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D23F50	23_2_05D23F50
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D2A3D8	23_2_05D2A3D8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D26FF8	23_2_05D26FF8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D26FE8	23_2_05D26FE8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00427880	24_2_00427880
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040B8AE	24_2_0040B8AE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040C191	24_2_0040C191
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_004123A0	24_2_004123A0
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040F441	24_2_0040F441
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040C44C	24_2_0040C44C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042140C	24_2_0042140C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040BC20	24_2_0040BC20
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041BE39	24_2_0041BE39
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040BECA	24_2_0040BECA
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00408761	24_2_00408761
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041B722	24_2_0041B722
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040C7FC	24_2_0040C7FC
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BAB989	24_2_01BAB989
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B989C8	24_2_01B989C8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9C131	24_2_01B9C131
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9C3F8	24_2_01B9C3F8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9BB15	24_2_01B9BB15
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB7AE7	24_2_01BB7AE7
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9CA63	24_2_01B9CA63
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9C6B3	24_2_01B9C6B3
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9F6A8	24_2_01B9F6A8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9BE87	24_2_01B9BE87
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BA2607	24_2_01BA2607

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B99F27 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B91BE3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01BB7A73 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B936F8 appears 184 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B91D46 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 0042780C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: String function: 0010DA42 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: String function: 0010E080 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: String function: 00108580 appears 137 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409160 appears 162 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408A40 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004043B0 appears 315 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580

PE file does not import any functions

Source: file300un.exe.2.dr	Static PE information: No import functions for PE file found
Source: file300un[1].exe.2.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: U8uFcjIjAR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000018.00000002.3673494333.0000000001B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.3745565486.0000000001C9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.5887240245.0000000001DDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002F.00000002.3796487217.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002F.00000002.3796251216.0000000001D0B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: swiiiii[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: U8uFcjIjAR.exe	Static PE information: Section: ZLIB complexity 0.998046875
Source: U8uFcjIjAR.exe	Static PE information: Section: jvalonlg ZLIB complexity 0.9945386046158519
Source: explorha.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998046875
Source: explorha.exe.0.dr	Static PE information: Section: jvalonlg ZLIB complexity 0.9945386046158519

Source: file300un[1].exe.2.dr, --------.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: file300un.exe.2.dr, --------.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@314/432@0/31

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

Code function: 24_2_01C9BB9E CreateToolhelp32Snapshot,Module32First,

24_2_01C9BB9E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00427EC8 CoCreateInstance,

8_2_00427EC8

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3580
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7452
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7600:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4764
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File created: C:\Users\user\AppData\Local\Temp\09fd851a4f

Jump to behavior

Source: Yara match	File source: 00000018.00000003.2807691606.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u1eg.3.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: eight	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: eight	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: @	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: rundll32.exe, 00000006.00000002.5624870860.0000016236638000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000003.5014158653.000000002236E000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000003.5020952122.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3078548436.000000000391C000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3026659621.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: U8uFcjIjAR.exe	Virustotal: Detection: 56%
Source: U8uFcjIjAR.exe	ReversingLabs: Detection: 52%

Source: U8uFcjIjAR.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File read: C:\Users\user\Desktop\U8uFcjIjAR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U8uFcjIjAR.exe "C:\Users\user\Desktop\U8uFcjIjAR.exe"
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 924
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe "C:\Users\user\AppData\Local\Temp\u1eg.0.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe "C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4764 -ip 4764
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1500
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7452 -ip 7452
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe "C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe "C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 924
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4764 -ip 4764
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1500
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7452 -ip 7452
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 372
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe "C:\Users\user\AppData\Local\Temp\u1eg.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe "C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: U8uFcjIjAR.exe

Static file information: File size 1892864 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: U8uFcjIjAR.exe

Static PE information: Raw size of jvalonlg is bigger than: 0x100000 < 0x19ba00

Source:	Binary string: mozglue.pdbP source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: nss3.pdb@ source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: mozglue.pdb source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: {!C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: C:\1ej6jx007\Body.pdb source: alexxxxxxxx.exe, 00000032.00000000.2565956379.000000000030B000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jfesawdr.exe, 00000021.00000000.2355046369.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, jfesawdr.exe, 00000021.00000003.2364643272.0000000006E46000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000003.2367292935.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000002.2550287078.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, work.exe, 0000002A.00000002.5607567766.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp, work.exe, 0000002A.00000000.2382750085.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: Loader.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Q!C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: fMC:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Unpacked PE file: 0.2.U8uFcjIjAR.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 3.2.explorha.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Unpacked PE file: 24.2.ISetup8.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Unpacked PE file: 32.2.u1eg.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Unpacked PE file: 47.2.CpqmTFb0JovJ1ZbssYgoEukK.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Unpacked PE file: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Unpacked PE file: 24.2.ISetup8.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Unpacked PE file: 32.2.u1eg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Unpacked PE file: 47.2.CpqmTFb0JovJ1ZbssYgoEukK.exe.400000.0.unpack
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Unpacked PE file: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack

Binary contains a suspicious time stamp

Source: jok[1].exe.2.dr

Static PE information: 0xFC177629 [Thu Jan 10 08:13:29 2104 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0011C08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_0011C08C

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

File is packed with WinRar

Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_3847187

PE file contains an invalid checksum

Source: U8uFcjIjAR.exe	Static PE information: real checksum: 0x1d1fe2 should be: 0x1d3851
Source: clip64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: swiiiii.exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: swiiii.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x32780
Source: explorha.exe.0.dr	Static PE information: real checksum: 0x1d1fe2 should be: 0x1d3851
Source: NewB[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: cred64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: swiiii[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x32780
Source: NewB.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: jok[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: cred64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: swiiiii[1].exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: clip64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: jok.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x547e4

PE file contains sections with non-standard names

Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: U8uFcjIjAR.exe	Static PE information: section name: .idata
Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: U8uFcjIjAR.exe	Static PE information: section name: jvalonlg
Source: U8uFcjIjAR.exe	Static PE information: section name: ddmhcqjo
Source: U8uFcjIjAR.exe	Static PE information: section name: .taggant
Source: explorha.exe.0.dr	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name: .idata
Source: explorha.exe.0.dr	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name: jvalonlg
Source: explorha.exe.0.dr	Static PE information: section name: ddmhcqjo
Source: explorha.exe.0.dr	Static PE information: section name: .taggant
Source: cred64[1].dll.2.dr	Static PE information: section name: _RDATA
Source: cred64.dll.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043E05C push ss; retf	8_2_0043E099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043CE48 push es; retn 0043h	8_2_0043CE49
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010E0C6 push ecx; ret	22_2_0010E0D9
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00103440 push ss; ret	22_2_00103447
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010DA1C push ecx; ret	22_2_0010DA2F
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2FF8 push esp; iretd	23_2_023A3429
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D2ECF2 push eax; ret	23_2_05D2ED01
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042786C push ecx; ret	24_2_0042787C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042780C push eax; ret	24_2_0042782A
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042E3A5 push esi; ret	24_2_0042E3AE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409D06 push ecx; ret	24_2_00409D19
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_004097B6 push ecx; ret	24_2_004097C9
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BAC9FD push esp; retf	24_2_01BAC9FE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BAC3FF push esp; retf	24_2_01BAC407
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB1B72 push dword ptr [esp+ecx-75h]; iretd	24_2_01BB1B76
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB7AD3 push ecx; ret	24_2_01BB7AE3
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99A1D push ecx; ret	24_2_01B99A30
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB7A73 push eax; ret	24_2_01BB7A91
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99F6D push ecx; ret	24_2_01B99F80
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01CA0359 push 00000061h; retf	24_2_01CA0361
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9FA33 push 2B991403h; ret	24_2_01C9FA3A
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9FD49 pushad ; retf	24_2_01C9FD50
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9E530 push ecx; iretd	24_2_01C9E536
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9D49B pushad ; retf	24_2_01C9D49C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01CA17BB push ebp; iretd	24_2_01CA17EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_004176C5 push ecx; ret	28_2_004176D8

Source: U8uFcjIjAR.exe	Static PE information: section name: entropy: 7.984361939949586
Source: U8uFcjIjAR.exe	Static PE information: section name: jvalonlg entropy: 7.953419678456497
Source: explorha.exe.0.dr	Static PE information: section name: entropy: 7.984361939949586
Source: explorha.exe.0.dr	Static PE information: section name: jvalonlg entropy: 7.953419678456497
Source: swiiiii[1].exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiii[1].exe.2.dr	Static PE information: section name: .text entropy: 7.987813915261593
Source: swiiii.exe.2.dr	Static PE information: section name: .text entropy: 7.987813915261593

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\svchost.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\svchost.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VIvaPgF4HG0I5BUqITqbcGpt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Hukfa3OXe0ABqVhMgk840KlD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ASNAP1v7gSBWUV4M24VeAq7L.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\SQz5qXC0XQfZInNOXxbOmSfU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yvu0DVxXmQgzDV8A7x4am1Ob.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KMbSlAfByjkUF20UwkqxawkL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Dgwsf7w4EFU0DJenPeJFQ9dl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\U9sERAOeNr3mgv0e80M6A4fC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KeaeBYEoeSKrt7OHYQWgw9KY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\jfesawdr[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5j4vJucQDJ5dRUHs8KgbU6zE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\GRMRzFPp08Qf6xzoYXN3v0kJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IJ5QGXKr1fcmeIhFX4JRmReR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\4qdN2NXKzWFa5hVG8lUhV5aV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\38jnFT91OuswY7e76EHimubt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\U4x5QYt9YvcW7ZavDfqoMzWn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CcVsAa1aPXP8AeP3n8DklXlW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\c5Evvv7PYHJO6LpEaGq866pm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\K6IMtUjnmbObbtDmmgp6S08R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\yWV9WwJcUosMiP7cfkSd3H82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dPOp3jG6cTg3qN9wSAMJoEyW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\eZIEOd6NiDhJgVNwtWcx59tv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ReZDyiSv1d9oc9RKQh1HoSU9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\SyhtUGQrnSlVAioQ4rVLOOjh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\56MSgzGjt7DCxuJwG3rlLC0n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\LqEGPBEKUCUhBDJKv5mRRgZQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\TVwptXCoO7sIbkrRhjbE2PZI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\YY0KEjD7nviDyOYS1Zel18Iz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\un2vphNUslz6zwbvA7PqkJW0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\DP1cSbadxSZ4GN4Plf6lDD5t.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Lg7nSLwyiJZjUSW4G0qcX1yV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\iPlB1qbFQFH1ftEutDuOvKvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xyMqBBjqvGfUL37YvYIuomy7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\dAzTHvN7U1zbeiGER55JOdmD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\H5yNpx42S8IZUDziNao5NoiZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2xEk595iCLChQEIkapYMtg4d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qk0x06I6JhykUr9FfyCqWusc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\U9TaXZF4Dtll7HWLvlflgS1k.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\mOkLcaTZpbuoAYzmfUDWaVew.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\a61Zt3kxeVox4lwkSb04Exqv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WwT2X5ly4j7TYqCo1DiUNFVe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NrlBY7PHizkvtumpXDF2ZwbO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\reXPhdY9Ai5nG5RYgYEblrOi.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Q2ru8nMpr2nWW31YuPp81EFT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\cPV2bRPfjMzAHIg1WdlvEFuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NjV6zIGZdVX0WeB8KyD9vVQX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\bOup5lccxV9NOACTU5R4JYwk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2hzHYeaAvedtbB9n4Al5HAlc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\pcgtAOzZa16Vv8MI85WMELIz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Xf0R0h4D02qlmSsaNEARsgAC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xiBUq473AMEj3R5tdfFowrHB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LfTUXDPwxqflzUdNce50hrbG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\IyaFodsxs5gjaIKXcsBknvbB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\E2J4txsMwXF0FC1lSl4LeyeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\wtVMzXQafdDJfAuXHtN4Tdkn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\nx2O4pl6JsljvUYganpkaIuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bR4U6XYd9TFO6UTaUKN5r2h6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\file300un[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NxHsQz4fDCatJsgYrnTnuULR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\I7ensOQctg1uAjq6Ow7TzO7R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\yUP3tf3QnRZ1nTqTKGi8mWAl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5PRTInX0pnuXa8v8cOzJCXwY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\YmRHdVjMjWfgOGnmlpMeFk3W.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OcXMLXs1I7uPacTR3wj6FpuO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\itqn5NboFEwVdvQSHIzKZ5Tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5uecEsXehJwba0CTpV7r5w9J.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KD4MGqBmnl5yi0hAsXLSbdSy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\FxfpxXMfHqygzvFNuTBvcdK4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\mFxRdQLZpyvaCG50kC1Vvtgm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ip8wtphk0sq5W1G9S0yXoRhB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OQgcqQkt9mj3bwxHnZIa4s8D.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2N7xiUcqYcPt4XwwaXd6aBnt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2H2iULi73jPqktFJ6OepOola.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ISetup8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\rBkbJurNkGUDcfqWsMfUiKI9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\PCUjpeIbitNbH0tzJuyqcPfq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\IPYyjHxAPykR30zffbRrZF82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ZdJVnsAsGFXjRLisReQL9qeg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5RIkieBmHnRMmQ027PXhctux.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\dCJ2FGsdDNOePKsle0wc5xjs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hi1aLhmXAS9IuYfXRpFgbtIN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\4gHWYulKwwC9mAGusyg1bN2y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yqAccZXldjURDvuE02Wzx66b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CzkueZo2uibKMWVlxXuuuYuf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\X8dw09DkWg2FUJZX2MdQYMIH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5mXUxo0CobvbEjsxN58lv8JE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\9MxwoVYUchzxPb9DWfXpxtIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\svrht.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\HwacXgeZ7NROKRQE0PXEHrcz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\tIMIX6FhTytIBgdKnsKEeTL9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KcPMpaa1kOoC1gyGKob3dUMA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\QeUXLRBK3hnXmDh6BxEoxRr1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\pvnkK7ERSt002PLOO6PmWB6P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\vf0hhs68KGG55pTpbMQhmnEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\6NJQIAQREgE8pnH0Tc3vNghh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ww7JDxmxaoQ9FUv9x8TKyKSY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\wDrZ6hfdUrkd3JgS0hjhg6UX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\oDbOgHc2o8C57zZ3j5h88raq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kqWcoPWge2lBBTisp4lafa9T.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2Tou5zGna3sRH11GciMBbZgS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2fZdJDwSJsgUfWXz4vfSCNc2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\w2LYT0LfpWsoNTZvweJklQve.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2WfD0d98t0vvspmZtbNiMd3K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\m51WyQJV3lONT871iWetdwlO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kJQmHVN1ymzFf6h1SAx9MRkd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\T3Qq4u2DRguTQUrxYHela5ZS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\y37mD1IuO45o81MbxoPzuNXd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\UD5c5lRW73IS3PFTwgbHbs5R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\sAZX6pCAhoctp0pZlpHswGSQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\4767d2e713f2021e8fe856e3ea638b58[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\42aqT3i0exo8ClkJ9x9x76bj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\JpNy2GKOfbQVVFOOPrMrSDYH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Gyjybmuo0flsJ9dTOIsqJkOX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\vDuCgf2Voaw2LLAsDp7A6309.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\anYrNMf7BkK2nQqzIYyWir6K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hUntDTmBlfyZnFAi6sAPMqK9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VkPnywQDA6u7BOwpwfjSJ67x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CW6I446Upi6pRJwdKk7DKik9.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\tlTbd0P2iK6BETIro6KxfVNb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.2\run.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ME586VT0sUE29Jo7X6zYQs1O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\UiQzdb0JuVAuKhgIqFvM40tD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\wm7we8oXFjD0na8cInm6YOSJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dr1rk0EffiWHIOEoIM0y02vz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\wYB5cGZirJjZJJPhntypmeFR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\mwOimlTAau0yLmr8r4SRU8mq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\RPuSi7aHauEmoLNZJ0gygFsP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\PhNOluqeDQNAgQ6pyogubEva.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5fqYYoyWfgcx2hRWq28g7nNF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Wbr3x69pcbSZtPyx0r9XirkL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ndb0fcrEXTitnmEiCwbBu17x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\e9hVvSYXlP0xhhVB1Cn6Pgop.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F

Creates job files (autostart)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File created: C:\Windows\Tasks\explorha.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Memory written: PID: 7732 base: 1310005 value: E9 8B 2F BE 75
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Memory written: PID: 7732 base: 76EF2F90 value: E9 7A D0 41 8A

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0010C858 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_0010C858

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 4764, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4391865984.0000000000528000.00000020.00000001.01000000.0000001E.sdmp	Binary or memory string: SBIEDLL.DLL
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B1E4 second address: 77B1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B356 second address: 77B36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F82FCB0552Bh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B36E second address: 77B384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F82FCE531F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 je 00007F82FCE531F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B384 second address: 77B39F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007F82FCB05526h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B39F second address: 77B3BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53206h 0x00000007 jns 00007F82FCE531F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B3BF second address: 77B3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B3C5 second address: 77B3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B3C9 second address: 77B3D8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jg 00007F82FCB05526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B518 second address: 77B522 instructions: 0x00000000 rdtsc 0x00000002 js 00007F82FCE5320Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B522 second address: 77B556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05530h 0x00000009 pushad 0x0000000a jmp 00007F82FCB0552Fh 0x0000000f jno 00007F82FCB05526h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B556 second address: 77B568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F82FCE531FBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B568 second address: 77B572 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCB0552Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B6FB second address: 77B709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B709 second address: 77B70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B895 second address: 77B8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53206h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B8AF second address: 77B8B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B8B5 second address: 77B8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B8BB second address: 77B8C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E7F5 second address: 77E7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E8E1 second address: 77E919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, eax 0x0000000e push 00000000h 0x00000010 je 00007F82FCB0552Ch 0x00000016 mov ecx, dword ptr [ebp+122D2934h] 0x0000001c call 00007F82FCB05529h 0x00000021 push eax 0x00000022 push edx 0x00000023 jns 00007F82FCB05528h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E919 second address: 77E91F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E91F second address: 77E923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E923 second address: 77E945 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e jmp 00007F82FCE531FAh 0x00000013 pop esi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E945 second address: 77E949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E949 second address: 77E960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnl 00007F82FCE531F6h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push esi 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E960 second address: 77E96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E96F second address: 77E973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E973 second address: 77EA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F82FCB0552Fh 0x0000000b popad 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F82FCB05530h 0x00000013 mov dword ptr [ebp+122D1B53h], eax 0x00000019 popad 0x0000001a jnl 00007F82FCB0552Ch 0x00000020 push 00000003h 0x00000022 add esi, dword ptr [ebp+122D288Ch] 0x00000028 push 00000000h 0x0000002a mov si, di 0x0000002d push 00000003h 0x0000002f mov edx, 7439F5D1h 0x00000034 call 00007F82FCB05538h 0x00000039 mov esi, dword ptr [ebp+122D338Eh] 0x0000003f pop esi 0x00000040 push CD701F00h 0x00000045 jnc 00007F82FCB05531h 0x0000004b xor dword ptr [esp], 0D701F00h 0x00000052 mov ecx, dword ptr [ebp+122D2E0Dh] 0x00000058 lea ebx, dword ptr [ebp+124536B6h] 0x0000005e jo 00007F82FCB05537h 0x00000064 jmp 00007F82FCB05531h 0x00000069 xchg eax, ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c jno 00007F82FCB0552Ch 0x00000072 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77EAC2 second address: 77EB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F82FCE531FCh 0x0000000c nop 0x0000000d jmp 00007F82FCE531FEh 0x00000012 push 00000000h 0x00000014 and edx, dword ptr [ebp+122D28F8h] 0x0000001a call 00007F82FCE531F9h 0x0000001f jp 00007F82FCE531FAh 0x00000025 push eax 0x00000026 push edi 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a pop edx 0x0000002b pop edi 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 push ecx 0x00000031 jnc 00007F82FCE5320Dh 0x00000037 pop ecx 0x00000038 mov eax, dword ptr [eax] 0x0000003a jc 00007F82FCE53200h 0x00000040 jmp 00007F82FCE531FAh 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 jp 00007F82FCE531FEh 0x0000004f pop eax 0x00000050 sub dword ptr [ebp+122D1A19h], eax 0x00000056 push 00000003h 0x00000058 sub di, 548Ah 0x0000005d push 00000000h 0x0000005f add si, D65Eh 0x00000064 push 00000003h 0x00000066 jmp 00007F82FCE53202h 0x0000006b jp 00007F82FCE531FCh 0x00000071 xor dword ptr [ebp+122D2003h], ebx 0x00000077 push 8EA5613Ch 0x0000007c push eax 0x0000007d push edx 0x0000007e js 00007F82FCE531FCh 0x00000084 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77EC5B second address: 77EC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05538h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7914B2 second address: 7914BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7914BB second address: 7914CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F82FCB05526h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 765CA4 second address: 765CB7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F82FCE531FEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 765CB7 second address: 765CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCB0552Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 765CDD second address: 765CE9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F82FCE531F6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79E60F second address: 79E627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79E627 second address: 79E62B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79ED93 second address: 79EDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05537h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79EDB2 second address: 79EDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F189 second address: 79F18F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F18F second address: 79F1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE53200h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F5DE second address: 79F5FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F82FCB05539h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F5FD second address: 79F617 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F82FCE53202h 0x00000008 ja 00007F82FCE531F6h 0x0000000e ja 00007F82FCE531F6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F617 second address: 79F61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79FFAB second address: 79FFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79FFAF second address: 79FFD9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F82FCB0552Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB05530h 0x00000012 jne 00007F82FCB05526h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79FFD9 second address: 79FFF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F82FCE531FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F82FCE531FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A0299 second address: 7A02C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05536h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB0552Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A02C2 second address: 7A02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A301D second address: 7A303B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F82FCB05531h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A375B second address: 7A375F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A375F second address: 7A3765 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C872 second address: 76C878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C878 second address: 76C883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F82FCB05526h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C883 second address: 76C888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C888 second address: 76C88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAEDA second address: 7AAEF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAEF0 second address: 7AAEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAEF4 second address: 7AAF04 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F82FCE531F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAF04 second address: 7AAF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AB05F second address: 7AB065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AB065 second address: 7AB074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AB074 second address: 7AB089 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F82FCE53200h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD820 second address: 7AD86B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F82FCB05537h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 65A48257h 0x00000014 mov edi, dword ptr [ebp+122D2BA0h] 0x0000001a call 00007F82FCB05529h 0x0000001f jmp 00007F82FCB0552Bh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jng 00007F82FCB05526h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD86B second address: 7AD86F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD86F second address: 7AD875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD875 second address: 7AD87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD87B second address: 7AD87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD87F second address: 7AD8A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F82FCE53201h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD8A2 second address: 7AD8D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB0552Dh 0x00000008 jnl 00007F82FCB05526h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F82FCB05534h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD8D3 second address: 7AD8F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F82FCE53206h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD8F8 second address: 7AD8FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ADD82 second address: 7ADD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ADD88 second address: 7ADD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ADEE7 second address: 7ADF1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F82FCE531F6h 0x00000009 jmp 00007F82FCE53208h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edi 0x00000013 pushad 0x00000014 jmp 00007F82FCE531FBh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE435 second address: 7AE439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE517 second address: 7AE53C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F82FCE53207h 0x00000014 jmp 00007F82FCE53201h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE5B4 second address: 7AE5E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F82FCB05526h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 js 00007F82FCB05528h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F82FCB05537h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE76B second address: 7AE778 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEA39 second address: 7AEA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007F82FCB05530h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEA4A second address: 7AEA64 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push esi 0x00000008 sub dword ptr [ebp+122D1ECDh], ecx 0x0000000e pop edi 0x0000000f xchg eax, ebx 0x00000010 jnp 00007F82FCE53209h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEFC2 second address: 7AEFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEFC7 second address: 7AF04F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F82FCE53200h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 jmp 00007F82FCE531FBh 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F82FCE531F8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 push 00000000h 0x00000033 mov di, cx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F82FCE531F8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 call 00007F82FCE53202h 0x00000057 mov si, 9FB1h 0x0000005b pop edi 0x0000005c xchg eax, ebx 0x0000005d push edi 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AF04F second address: 7AF053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AF053 second address: 7AF06A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE531FDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B16C3 second address: 7B16C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B16C9 second address: 7B16CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B5C63 second address: 7B5C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05531h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B7C56 second address: 7B7C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B7C79 second address: 7B7C83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B9491 second address: 7B94E3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b movzx edi, di 0x0000000e mov ebx, dword ptr [ebp+122D29D0h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F82FCE531F8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov di, AA52h 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D19F0h], edi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 pop edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B94E3 second address: 7B94ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 764186 second address: 7641A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7641A7 second address: 7641AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BF8F3 second address: 7BF8FD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BEA0C second address: 7BEA16 instructions: 0x00000000 rdtsc 0x00000002 je 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BEA16 second address: 7BEA30 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jl 00007F82FCE531FCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C17AD second address: 7C181B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F82FCB05531h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F82FCB05528h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b or ebx, dword ptr [ebp+122D2884h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F82FCB05528h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d mov bl, 1Bh 0x0000004f push eax 0x00000050 push esi 0x00000051 pushad 0x00000052 push edx 0x00000053 pop edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BEA30 second address: 7BEAC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007F82FCE531F8h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 and ebx, dword ptr [ebp+122D33B1h] 0x00000026 sub dword ptr [ebp+122D2777h], eax 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007F82FCE531F8h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 xor ebx, 34E8B9FFh 0x0000005a mov dword ptr [ebp+122D1E49h], ecx 0x00000060 mov eax, dword ptr [ebp+122D09C1h] 0x00000066 jo 00007F82FCE531F9h 0x0000006c mov di, bx 0x0000006f push FFFFFFFFh 0x00000071 mov edi, dword ptr [ebp+122D2B1Ch] 0x00000077 nop 0x00000078 jmp 00007F82FCE53200h 0x0000007d push eax 0x0000007e js 00007F82FCE53204h 0x00000084 push eax 0x00000085 push edx 0x00000086 pushad 0x00000087 popad 0x00000088 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C26F3 second address: 7C26F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C497B second address: 7C497F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C788A second address: 7C7891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C8EEB second address: 7C8F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, 032CDE96h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F82FCE531F8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D2E89h], ebx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F82FCE531F8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D1B8Ch], ecx 0x00000052 xchg eax, esi 0x00000053 jc 00007F82FCE53200h 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c pop esi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C293F second address: 7C2945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C2945 second address: 7C2956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C4A79 second address: 7C4A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C595E second address: 7C59E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F82FCE53201h 0x0000000c nop 0x0000000d je 00007F82FCE531FBh 0x00000013 sbb di, 9209h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f call 00007F82FCE531FEh 0x00000024 adc di, 7AF1h 0x00000029 pop edi 0x0000002a pushad 0x0000002b movsx esi, cx 0x0000002e mov di, 7792h 0x00000032 popad 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov edi, dword ptr [ebp+122D1EFFh] 0x00000040 mov eax, dword ptr [ebp+122D063Dh] 0x00000046 jg 00007F82FCE531F6h 0x0000004c push FFFFFFFFh 0x0000004e jp 00007F82FCE531F6h 0x00000054 nop 0x00000055 jp 00007F82FCE53206h 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e jmp 00007F82FCE531FCh 0x00000063 popad 0x00000064 push eax 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jg 00007F82FCE531F6h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C1994 second address: 7C19A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCB0552Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C8076 second address: 7C807B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0B6F second address: 7D0B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0B7A second address: 7D0B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E16 second address: 7D0E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E1D second address: 7D0E27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E27 second address: 7D0E31 instructions: 0x00000000 rdtsc 0x00000002 je 00007F82FCB05526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E31 second address: 7D0E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F82FCE531F8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E43 second address: 7D0E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD7BF second address: 7DD7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F82FCE531F8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD1E5 second address: 7DD1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD1EF second address: 7DD1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD396 second address: 7DD39D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E2979 second address: 7E297F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E297F second address: 7E29B5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F82FCB05526h 0x00000008 jmp 00007F82FCB05531h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F82FCB05539h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E29B5 second address: 7E29CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F82FCE531F6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E29CE second address: 7E29D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC1E3 second address: 7AC1EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F82FCE531F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC1EE second address: 7AC239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F82FCB05528h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D2EA0h] 0x0000002a lea eax, dword ptr [ebp+12480ED4h] 0x00000030 mov edx, 2F82D44Ah 0x00000035 nop 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F82FCB05530h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC78F second address: 7AC795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC795 second address: 7AC79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC79E second address: 7AC7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC7A2 second address: 7AC7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC7A6 second address: 5FE900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jp 00007F82FCE531F6h 0x00000010 pop edx 0x00000011 jmp 00007F82FCE531FEh 0x00000016 popad 0x00000017 nop 0x00000018 or dword ptr [ebp+122D17B6h], ecx 0x0000001e push dword ptr [ebp+122D1191h] 0x00000024 mov dword ptr [ebp+122D36BCh], edi 0x0000002a call dword ptr [ebp+122D1A39h] 0x00000030 pushad 0x00000031 stc 0x00000032 mov dword ptr [ebp+122D1A29h], ebx 0x00000038 xor eax, eax 0x0000003a mov dword ptr [ebp+122D1A29h], eax 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 js 00007F82FCE531FCh 0x0000004a mov dword ptr [ebp+122D1A29h], edx 0x00000050 mov dword ptr [ebp+122D2A8Ch], eax 0x00000056 mov dword ptr [ebp+122D1B53h], eax 0x0000005c mov esi, 0000003Ch 0x00000061 jmp 00007F82FCE53202h 0x00000066 jns 00007F82FCE531F7h 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D1A29h], ecx 0x00000076 lodsw 0x00000078 sub dword ptr [ebp+122D1B53h], ebx 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 jp 00007F82FCE531F7h 0x00000088 clc 0x00000089 jmp 00007F82FCE53209h 0x0000008e mov ebx, dword ptr [esp+24h] 0x00000092 mov dword ptr [ebp+122D1B53h], ebx 0x00000098 nop 0x00000099 pushad 0x0000009a push eax 0x0000009b push edx 0x0000009c jns 00007F82FCE531F6h 0x000000a2 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC83C second address: 7AC842 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACA0F second address: 7ACA32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], esi 0x0000000d or dword ptr [ebp+122D26ACh], esi 0x00000013 nop 0x00000014 pushad 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b jc 00007F82FCE531FCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACAE6 second address: 7ACAEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACD08 second address: 7ACD13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F82FCE531F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACD13 second address: 7ACD18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD053 second address: 7AD07F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 and ecx, 23BA70D6h 0x0000000e push 0000001Eh 0x00000010 push ebx 0x00000011 mov edi, dword ptr [ebp+122D2A64h] 0x00000017 pop edi 0x00000018 nop 0x00000019 ja 00007F82FCE531FEh 0x0000001f js 00007F82FCE531F8h 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD352 second address: 7AD358 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD358 second address: 7AD35F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD470 second address: 795756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F82FCB0552Fh 0x0000000b nop 0x0000000c push eax 0x0000000d xor dword ptr [ebp+122D1B91h], edx 0x00000013 pop edx 0x00000014 sbb cl, 00000000h 0x00000017 call dword ptr [ebp+122D1BA4h] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 795756 second address: 79575A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79575A second address: 795764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 795764 second address: 79576A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E1F63 second address: 7E1F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E23DD second address: 7E23E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E23E2 second address: 7E2405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jns 00007F82FCB0552Eh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007F82FCB05526h 0x00000017 popad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E2405 second address: 7E2430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F82FCE53207h 0x0000000e jmp 00007F82FCE531FBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E255B second address: 7E256B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76AD07 second address: 76AD11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76AD11 second address: 76AD17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76AD17 second address: 76AD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 773557 second address: 77356E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E831B second address: 7E8320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E8320 second address: 7E833B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F82FCB0553Dh 0x00000008 jmp 00007F82FCB05531h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E8610 second address: 7E8618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E8618 second address: 7E861E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E92C4 second address: 7E92CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E92CC second address: 7E92D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007F82FCB0552Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1AD3 second address: 7F1AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1AD9 second address: 7F1AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F82FCB05526h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1AEC second address: 7F1B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53201h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1C2E second address: 7F1C42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05530h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1C42 second address: 7F1C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1C48 second address: 7F1C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1DA3 second address: 7F1DCE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F82FCE531FEh 0x0000000c pop edi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F82FCE53203h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1F38 second address: 7F1F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05532h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F21EC second address: 7F21FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jp 00007F82FCE531F6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F21FE second address: 7F2221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F82FCB05526h 0x0000000a jmp 00007F82FCB05538h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2221 second address: 7F222B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F82FCE531FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2987 second address: 7F29D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 js 00007F82FCB05526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F82FCB05536h 0x00000014 jmp 00007F82FCB0552Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F29D0 second address: 7F29D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F29D4 second address: 7F29D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F29D8 second address: 7F2A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007F82FCE531FEh 0x0000000e push edx 0x0000000f pop edx 0x00000010 jl 00007F82FCE531F6h 0x00000016 jmp 00007F82FCE53206h 0x0000001b pushad 0x0000001c jmp 00007F82FCE531FFh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E52 second address: 7F2E57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E57 second address: 7F2E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E5D second address: 7F2E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E65 second address: 7F2E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F82FCE531F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F16FE second address: 7F171D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007F82FCB0552Ch 0x0000000b jnl 00007F82FCB0552Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F171D second address: 7F1721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1721 second address: 7F1732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F82FCB05526h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1732 second address: 7F174F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F174F second address: 7F1763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB0552Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F5E37 second address: 7F5E5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F82FCE53208h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F5E5D second address: 7F5E6C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F82FCB05528h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F5E6C second address: 7F5E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F82FCE531FBh 0x0000000e push edi 0x0000000f jmp 00007F82FCE53205h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F898A second address: 7F898E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F898E second address: 7F89A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE53200h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F89A8 second address: 7F89AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB344 second address: 7FB349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB349 second address: 7FB353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB353 second address: 7FB385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F82FCE531FEh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F82FCE531FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F82FCE531FBh 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB385 second address: 7FB38D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB38D second address: 7FB393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB393 second address: 7FB399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB030 second address: 7FB036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB036 second address: 7FB03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB03A second address: 7FB044 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F82FCE531F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FFFB7 second address: 7FFFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF458 second address: 7FF466 instructions: 0x00000000 rdtsc 0x00000002 je 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF466 second address: 7FF480 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jg 00007F82FCB05532h 0x00000012 js 00007F82FCB05526h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF480 second address: 7FF4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F82FCE53210h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF4A8 second address: 7FF4AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF5F1 second address: 7FF5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF5F7 second address: 7FF5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FFA37 second address: 7FFA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 805961 second address: 805971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Bh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 805971 second address: 80599C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE53202h 0x00000009 jmp 00007F82FCE53205h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80432C second address: 80437E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jmp 00007F82FCB05539h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F82FCB05539h 0x00000017 jmp 00007F82FCB05530h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8044EB second address: 804506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 804506 second address: 804519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F82FCB05526h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 804519 second address: 80451D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80451D second address: 804527 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCB05526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 804527 second address: 804539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F82FCE531FAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8046A1 second address: 8046A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80481B second address: 804829 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 775082 second address: 775086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 775086 second address: 77508C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77508C second address: 77509C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F82FCB05526h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 776BC5 second address: 776BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808AE0 second address: 808B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05536h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F82FCB05526h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B05 second address: 808B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B09 second address: 808B15 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F82FCB05526h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B15 second address: 808B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F82FCE531FAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B25 second address: 808B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808C63 second address: 808C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808C67 second address: 808C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F82FCB05526h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808C72 second address: 808C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80904E second address: 80906E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05539h 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80906E second address: 80907D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F82FCE531F6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8112CA second address: 811303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05531h 0x00000008 jmp 00007F82FCB05530h 0x0000000d push esi 0x0000000e pop esi 0x0000000f jnl 00007F82FCB05526h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a jnl 00007F82FCB05526h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 811303 second address: 811324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53204h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F82FCE531F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80FBB8 second address: 80FBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F82FCB05526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80FBC2 second address: 80FBD5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jo 00007F82FCE53218h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80FBD5 second address: 80FBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05532h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810701 second address: 810741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCE53204h 0x00000008 jmp 00007F82FCE531FAh 0x0000000d jmp 00007F82FCE53205h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810741 second address: 810747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810747 second address: 81074B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81074B second address: 81076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05539h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81076E second address: 810772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810772 second address: 810778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810778 second address: 810784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810784 second address: 810788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810788 second address: 81078C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810A8A second address: 810A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CBB second address: 810CDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE53204h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CDB second address: 810CEF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F82FCB05526h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CEF second address: 810CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CF3 second address: 810CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 814F83 second address: 814FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F82FCE53202h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F82FCE53207h 0x00000011 jmp 00007F82FCE53202h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a jnp 00007F82FCE531F6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8148C1 second address: 8148C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 82127E second address: 821288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 821288 second address: 8212A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F82FCB05526h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F82FCB0552Ch 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8212A1 second address: 8212A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8212A7 second address: 8212AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8212AB second address: 8212B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81F829 second address: 81F83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81F83B second address: 81F855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81F855 second address: 81F871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05538h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81FB59 second address: 81FB74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53200h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81FB74 second address: 81FB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F82FCB0552Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81FE40 second address: 81FE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 820105 second address: 82011C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F82FCB05526h 0x0000000a jmp 00007F82FCB0552Ch 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 82011C second address: 820123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828176 second address: 82817C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8282D5 second address: 8282FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53203h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F82FCE531FDh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828456 second address: 828463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F82FCB05526h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828463 second address: 828467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828467 second address: 82846F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 82846F second address: 828474 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835939 second address: 83593E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A76 second address: 835A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A7A second address: 835A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A7E second address: 835A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A84 second address: 835AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCB05534h 0x00000009 jc 00007F82FCB05526h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76FEF1 second address: 76FF26 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F82FCE53206h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jns 00007F82FCE531F6h 0x00000018 popad 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d je 00007F82FCE531F6h 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8391DA second address: 8391E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 83EB26 second address: 83EB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 83EB2D second address: 83EB36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 769276 second address: 76927C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76927C second address: 7692AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F82FCB05537h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7692AB second address: 7692B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F82FCE531F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 846FF7 second address: 847020 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05532h 0x00000008 jmp 00007F82FCB05532h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8498DF second address: 8498E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8498E9 second address: 8498EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 84E6A9 second address: 84E6C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 84E6C2 second address: 84E6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 84EABD second address: 84EAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854466 second address: 854478 instructions: 0x00000000 rdtsc 0x00000002 js 00007F82FCB05528h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F82FCB05526h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854478 second address: 854492 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854492 second address: 854499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854499 second address: 85449E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854018 second address: 85401C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 870941 second address: 870947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 870947 second address: 87094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8722FE second address: 872306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872306 second address: 872321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F82FCB05532h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872321 second address: 872325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872325 second address: 87232F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F82FCB05526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 87232F second address: 872344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F82FCE531FCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872344 second address: 872349 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872166 second address: 87218E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCE531FBh 0x00000008 jnp 00007F82FCE531F6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F82FCE531FFh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 87218E second address: 872192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 874D7F second address: 874D9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D21F second address: 88D22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D22E second address: 88D232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D232 second address: 88D243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F82FCB05526h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D6CD second address: 88D6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F82FCE531F6h 0x0000000a jnp 00007F82FCE531FEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DAEA second address: 88DB0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05537h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DB0D second address: 88DB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DB11 second address: 88DB2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05538h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DCE3 second address: 88DCE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DCE7 second address: 88DCED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DCED second address: 88DCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE0F second address: 88DE38 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F82FCB05526h 0x00000008 jp 00007F82FCB05526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F82FCB05531h 0x00000017 jnc 00007F82FCB05526h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE38 second address: 88DE3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE3E second address: 88DE46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE46 second address: 88DE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE4A second address: 88DE4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFA4 second address: 88DFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F82FCE531F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFB1 second address: 88DFBB instructions: 0x00000000 rdtsc 0x00000002 js 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFBB second address: 88DFD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE53200h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFD1 second address: 88DFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88FB0E second address: 88FB16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 893DA1 second address: 893DAB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCB0552Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 896AA5 second address: 896AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F82FCE53201h 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C802B2 second address: 4C802C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C802C1 second address: 4C802FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F82FCE53208h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C802FC second address: 4C80300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80300 second address: 4C80306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80306 second address: 4C80317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCB0552Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70064 second address: 4C700BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F82FCE53200h 0x00000009 or cl, FFFFFF88h 0x0000000c jmp 00007F82FCE531FBh 0x00000011 popfd 0x00000012 movzx eax, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a mov edi, ecx 0x0000001c mov si, 4D93h 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F82FCE53206h 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F82FCE531FAh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700BD second address: 4C700C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700C1 second address: 4C700C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700C7 second address: 4C700CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700CD second address: 4C700D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB051C second address: 4CB0520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB0520 second address: 4CB0526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB0526 second address: 4CB056D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F82FCB05530h 0x0000000f push eax 0x00000010 jmp 00007F82FCB0552Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F82FCB05535h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB056D second address: 4CB0573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40134 second address: 4C4019D instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F82FCB05538h 0x0000000d add ecx, 432EDAB8h 0x00000013 jmp 00007F82FCB0552Bh 0x00000018 popfd 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F82FCB05534h 0x00000023 sbb cx, 1518h 0x00000028 jmp 00007F82FCB0552Bh 0x0000002d popfd 0x0000002e movzx ecx, bx 0x00000031 popad 0x00000032 push dword ptr [ebp+04h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4019D second address: 4C401A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401A1 second address: 4C401BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05538h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401BD second address: 4C401D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F82FCE531FCh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401D9 second address: 4C401DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401DD second address: 4C401E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40282 second address: 4C40288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40288 second address: 4C4029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60CC4 second address: 4C60CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60CC8 second address: 4C60CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C608D1 second address: 4C608F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F82FCB05535h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C608F8 second address: 4C60908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60758 second address: 4C60799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F82FCB0552Eh 0x00000011 or ax, 75E8h 0x00000016 jmp 00007F82FCB0552Bh 0x0000001b popfd 0x0000001c movzx esi, dx 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 mov bx, 3CE2h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60799 second address: 4C607B8 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 452Eh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE53205h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C607B8 second address: 4C607D9 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB05534h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C607D9 second address: 4C607DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C607DD second address: 4C607E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60408 second address: 4C6040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C6040C second address: 4C60410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60410 second address: 4C60416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60416 second address: 4C6041C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C6041C second address: 4C60420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60420 second address: 4C60424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60424 second address: 4C60449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCE53208h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60449 second address: 4C60458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7031C second address: 4C70320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70320 second address: 4C7033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7033B second address: 4C703AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F82FCE531FEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, BCh 0x00000013 pushfd 0x00000014 jmp 00007F82FCE531FAh 0x00000019 xor si, A338h 0x0000001e jmp 00007F82FCE531FBh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 jmp 00007F82FCE53206h 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx edx, si 0x00000033 push eax 0x00000034 pop edi 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB047B second address: 4CB048A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80609 second address: 4C80663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F82FCE53207h 0x00000008 pop ecx 0x00000009 mov bh, 22h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F82FCE53200h 0x00000014 push eax 0x00000015 jmp 00007F82FCE531FBh 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F82FCE53206h 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80663 second address: 4C806A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 57AF66D9h 0x00000009 popad 0x0000000a pushfd 0x0000000b jmp 00007F82FCB05536h 0x00000010 xor eax, 3F5FA768h 0x00000016 jmp 00007F82FCB0552Bh 0x0000001b popfd 0x0000001c popad 0x0000001d mov eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806A0 second address: 4C806BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806BB second address: 4C806F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F82FCB05538h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806F7 second address: 4C806FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806FB second address: 4C80701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80701 second address: 4C80724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F82FCE531FCh 0x00000009 add si, C9B8h 0x0000000e jmp 00007F82FCE531FBh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C6067E second address: 4C60682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60682 second address: 4C60690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80120 second address: 4C8013D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8013D second address: 4C8014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8014D second address: 4C80151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80151 second address: 4C8016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F82FCE53203h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8016F second address: 4C80175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80175 second address: 4C80188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov edx, 72196C9Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80188 second address: 4C80192 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80192 second address: 4C801B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007F82FCE53208h 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C801B9 second address: 4C801BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C801BD second address: 4C801C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C801C3 second address: 4C801C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8044E second address: 4C80454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80454 second address: 4C80495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, cx 0x00000012 pushfd 0x00000013 jmp 00007F82FCB0552Eh 0x00000018 adc cx, 0888h 0x0000001d jmp 00007F82FCB0552Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA08DF second address: 4CA08E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA08E5 second address: 4CA0965 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movzx esi, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 jmp 00007F82FCB05535h 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F82FCB05533h 0x00000020 adc ax, D0DEh 0x00000025 jmp 00007F82FCB05539h 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F82FCB05530h 0x00000031 or cx, D0D8h 0x00000036 jmp 00007F82FCB0552Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0965 second address: 4CA09AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F82FCE531FEh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F82FCE53207h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA09AC second address: 4CA09B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA09B2 second address: 4CA0A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e mov cx, FCD1h 0x00000012 pop ecx 0x00000013 pushfd 0x00000014 jmp 00007F82FCE53207h 0x00000019 or esi, 291F0BBEh 0x0000001f jmp 00007F82FCE53209h 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F82FCE531FDh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0A14 second address: 4CA0A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FA65FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F82FCB05538h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0A4A second address: 4CA0A59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0A59 second address: 4CA0ADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c jmp 00007F82FCB0552Ch 0x00000011 call 00007F82FCB05532h 0x00000016 mov ax, 9AA1h 0x0000001a pop eax 0x0000001b popad 0x0000001c je 00007F836ED883EFh 0x00000022 jmp 00007F82FCB0552Dh 0x00000027 mov ecx, eax 0x00000029 pushad 0x0000002a movsx edi, ax 0x0000002d popad 0x0000002e xor eax, dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F82FCB0552Ch 0x0000003a add cx, A898h 0x0000003f jmp 00007F82FCB0552Bh 0x00000044 popfd 0x00000045 mov bx, ax 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0ADF second address: 4CA0B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007F82FCE531FEh 0x00000011 ror eax, cl 0x00000013 jmp 00007F82FCE53200h 0x00000018 leave 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B22 second address: 4CA0B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B26 second address: 4CA0B2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B2C second address: 4CA0B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [005F4014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F83011F491Dh 0x00000024 push FFFFFFFEh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F82FCB05537h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B62 second address: 4CA0B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B68 second address: 4CA0B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B6C second address: 4CA0BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007F82FCE53206h 0x00000011 ret 0x00000012 nop 0x00000013 push eax 0x00000014 call 00007F8301542634h 0x00000019 mov edi, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov eax, ebx 0x00000020 call 00007F82FCE53209h 0x00000025 pop eax 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0BB7 second address: 4CA0C60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f pushfd 0x00000010 jmp 00007F82FCB05538h 0x00000015 add eax, 1828E868h 0x0000001b jmp 00007F82FCB0552Bh 0x00000020 popfd 0x00000021 popad 0x00000022 push esi 0x00000023 mov ebx, 4196950Ah 0x00000028 pop edx 0x00000029 popad 0x0000002a push eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F82FCB0552Ah 0x00000032 and ecx, 7DA0BAC8h 0x00000038 jmp 00007F82FCB0552Bh 0x0000003d popfd 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F82FCB0552Bh 0x00000047 and al, 0000000Eh 0x0000004a jmp 00007F82FCB05539h 0x0000004f popfd 0x00000050 popad 0x00000051 mov ebp, esp 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F82FCB0552Dh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0C60 second address: 4CA0CA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F82FCE53206h 0x00000013 xor esi, 5EDC0518h 0x00000019 jmp 00007F82FCE531FBh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C5000D second address: 4C50087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB0552Fh 0x00000008 jmp 00007F82FCB05538h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F82FCB05530h 0x00000016 push eax 0x00000017 pushad 0x00000018 mov dx, 68B4h 0x0000001c mov ah, dl 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 call 00007F82FCB05531h 0x00000026 mov ax, FF67h 0x0000002a pop esi 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F82FCB05536h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50193 second address: 4C50199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C502BB second address: 4C5037F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05537h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 pushad 0x00000015 pushad 0x00000016 mov ch, 9Bh 0x00000018 mov ecx, edi 0x0000001a popad 0x0000001b pushfd 0x0000001c jmp 00007F82FCB05539h 0x00000021 sub ch, FFFFFFE6h 0x00000024 jmp 00007F82FCB05531h 0x00000029 popfd 0x0000002a popad 0x0000002b je 00007F836EDD3839h 0x00000031 jmp 00007F82FCB0552Eh 0x00000036 mov edx, dword ptr [esi+44h] 0x00000039 jmp 00007F82FCB05530h 0x0000003e or edx, dword ptr [ebp+0Ch] 0x00000041 pushad 0x00000042 mov edx, esi 0x00000044 pushfd 0x00000045 jmp 00007F82FCB0552Ah 0x0000004a add si, 45E8h 0x0000004f jmp 00007F82FCB0552Bh 0x00000054 popfd 0x00000055 popad 0x00000056 test edx, 61000000h 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F82FCB05535h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C5037F second address: 4C50385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50385 second address: 4C50389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50389 second address: 4C50440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F836F1214EDh 0x0000000e pushad 0x0000000f call 00007F82FCE53205h 0x00000014 mov ah, 60h 0x00000016 pop edx 0x00000017 jmp 00007F82FCE531FAh 0x0000001c popad 0x0000001d test byte ptr [esi+48h], 00000001h 0x00000021 pushad 0x00000022 push esi 0x00000023 mov ebx, 292A2FF0h 0x00000028 pop edi 0x00000029 pushad 0x0000002a movzx esi, dx 0x0000002d pushfd 0x0000002e jmp 00007F82FCE53201h 0x00000033 xor ax, E576h 0x00000038 jmp 00007F82FCE53201h 0x0000003d popfd 0x0000003e popad 0x0000003f popad 0x00000040 jne 00007F836F1214A1h 0x00000046 jmp 00007F82FCE531FEh 0x0000004b test bl, 00000007h 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov bl, 4Ch 0x00000053 pushfd 0x00000054 jmp 00007F82FCE53206h 0x00000059 jmp 00007F82FCE53205h 0x0000005e popfd 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50440 second address: 4C50446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C407FA second address: 4C40807 instructions: 0x00000000 rdtsc 0x00000002 mov ch, 38h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b mov edx, esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40807 second address: 4C4088A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F82FCB05536h 0x00000008 and ax, E7F8h 0x0000000d jmp 00007F82FCB0552Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F82FCB05536h 0x0000001b pushfd 0x0000001c jmp 00007F82FCB05532h 0x00000021 add cl, FFFFFF88h 0x00000024 jmp 00007F82FCB0552Bh 0x00000029 popfd 0x0000002a popad 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov ebx, 2682B92Ah 0x00000033 mov dh, 3Dh 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 jmp 00007F82FCB0552Ah 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4088A second address: 4C4088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4088E second address: 4C40894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40894 second address: 4C408EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F82FCE531FBh 0x0000000f xchg eax, esi 0x00000010 jmp 00007F82FCE53206h 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 jmp 00007F82FCE53200h 0x0000001d sub ebx, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C408EA second address: 4C408F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C408F0 second address: 4C4090D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bh, DFh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test esi, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCE531FFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4090D second address: 4C40914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40914 second address: 4C4092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F836F128C69h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F82FCE531FAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4092D second address: 4C40959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F82FCB05537h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40959 second address: 4C4095D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4095D second address: 4C40963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40963 second address: 4C40969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40969 second address: 4C4097F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 mov esi, 7DE22C35h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4097F second address: 4C40A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F82FCE53201h 0x00000009 add al, 00000046h 0x0000000c jmp 00007F82FCE53201h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F82FCE53200h 0x00000018 adc ecx, 343D26E8h 0x0000001e jmp 00007F82FCE531FBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 je 00007F836F128BCAh 0x0000002d jmp 00007F82FCE53206h 0x00000032 test byte ptr [76FA6968h], 00000002h 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F82FCE531FEh 0x00000040 or ax, 8478h 0x00000045 jmp 00007F82FCE531FBh 0x0000004a popfd 0x0000004b push eax 0x0000004c push edx 0x0000004d mov dx, ax 0x00000050 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A18 second address: 4C40A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A1C second address: 4C40A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007F836F128B89h 0x0000000d jmp 00007F82FCE531FEh 0x00000012 mov edx, dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A40 second address: 4C40A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A44 second address: 4C40A4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A4A second address: 4C40A6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 19E42750h 0x00000012 mov ecx, edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A6E second address: 4C40B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e pushad 0x0000000f call 00007F82FCE53208h 0x00000014 pop esi 0x00000015 pushfd 0x00000016 jmp 00007F82FCE531FBh 0x0000001b or al, 0000000Eh 0x0000001e jmp 00007F82FCE53209h 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 jmp 00007F82FCE531FEh 0x0000002c xchg eax, ebx 0x0000002d jmp 00007F82FCE53200h 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F82FCE53201h 0x0000003a adc si, 26A6h 0x0000003f jmp 00007F82FCE53201h 0x00000044 popfd 0x00000045 push ecx 0x00000046 pushfd 0x00000047 jmp 00007F82FCE53207h 0x0000004c jmp 00007F82FCE53203h 0x00000051 popfd 0x00000052 pop ecx 0x00000053 popad 0x00000054 xchg eax, ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F82FCE53202h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40BD9 second address: 4C40C33 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop esi 0x00000009 jmp 00007F82FCB0552Ch 0x0000000e pop ebx 0x0000000f jmp 00007F82FCB05530h 0x00000014 mov esp, ebp 0x00000016 jmp 00007F82FCB05530h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov di, 02A0h 0x00000023 jmp 00007F82FCB05539h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40C33 second address: 4C40C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50DD0 second address: 4C50DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50DD6 second address: 4C50DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50DDA second address: 4C50E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F82FCB05530h 0x00000013 or esi, 457899C8h 0x00000019 jmp 00007F82FCB0552Bh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F82FCB05531h 0x0000002a xor ax, 32E6h 0x0000002f jmp 00007F82FCB05531h 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50E47 second address: 4C50EB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 61B5C122h 0x00000008 pushfd 0x00000009 jmp 00007F82FCE53203h 0x0000000e adc ax, 6E1Eh 0x00000013 jmp 00007F82FCE53209h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push edx 0x00000021 pop eax 0x00000022 pushfd 0x00000023 jmp 00007F82FCE531FFh 0x00000028 xor cl, 0000002Eh 0x0000002b jmp 00007F82FCE53209h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50965 second address: 4C50969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50969 second address: 4C509B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F82FCE53206h 0x0000000c add cx, 64E8h 0x00000011 jmp 00007F82FCE531FBh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F82FCE53205h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509B0 second address: 4C509DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4CC39992h 0x00000008 mov cx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F82FCB05534h 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509DA second address: 4C509DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509DE second address: 4C509E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509E2 second address: 4C509E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509E8 second address: 4C509EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509EE second address: 4C509F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509F2 second address: 4C50A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F82FCB0552Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A16 second address: 4C50A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A25 second address: 4C50A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A2B second address: 4C50A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A2F second address: 4C50A58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCB05535h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0BDE second address: 4CD0BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0BE2 second address: 4CD0C46 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F82FCB0552Ah 0x00000008 or eax, 7440CC08h 0x0000000e jmp 00007F82FCB0552Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F82FCB05538h 0x0000001c and eax, 0A32EE68h 0x00000022 jmp 00007F82FCB0552Bh 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F82FCB05534h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0C46 second address: 4CD0C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F82FCE53205h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0C6D second address: 4CD0C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB0552Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0019 second address: 4CD001F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD001F second address: 4CD007F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F82FCB05536h 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F82FCB05531h 0x00000018 mov ebx, eax 0x0000001a pop eax 0x0000001b mov cx, dx 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F82FCB05531h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD007F second address: 4CD0083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0083 second address: 4CD0089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0089 second address: 4CD00CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d push ecx 0x0000000e call 00007F82FCE53207h 0x00000013 pop eax 0x00000014 pop edx 0x00000015 push esi 0x00000016 mov ebx, 4F89CD18h 0x0000001b pop edi 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F82FCE53203h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CC0F31 second address: 4CC0F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C601A2 second address: 4C60201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F82FCE53207h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F82FCE53209h 0x0000000f add eax, 03709E76h 0x00000015 jmp 00007F82FCE53201h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F82FCE531FCh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60201 second address: 4C6020A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, D144h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD02D2 second address: 4CD02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD02D7 second address: 4CD02DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD02DD second address: 4CD0308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCE531FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0308 second address: 4CD030D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD030D second address: 4CD0345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE531FDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F82FCE531FAh 0x00000016 sbb si, 5248h 0x0000001b jmp 00007F82FCE531FBh 0x00000020 popfd 0x00000021 movzx eax, di 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0345 second address: 4CD034B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD034B second address: 4CD0397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007F82FCE531FEh 0x00000012 push dword ptr [ebp+0Ch] 0x00000015 pushad 0x00000016 jmp 00007F82FCE531FEh 0x0000001b movzx ecx, di 0x0000001e popad 0x0000001f push dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 mov esi, edx 0x00000025 popad 0x00000026 push A3473DCAh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F82FCE531FDh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0397 second address: 4CD039D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B050B second address: 7B0515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F82FCE531F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B06E4 second address: 7B06E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7069E second address: 4C706A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706A4 second address: 4C706BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706BE second address: 4C706C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706C5 second address: 4C706CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706CB second address: 4C706CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C707EE second address: 4C708D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F82FCB05536h 0x0000000f mov eax, dword ptr fs:[00000000h] 0x00000015 jmp 00007F82FCB05530h 0x0000001a nop 0x0000001b jmp 00007F82FCB05530h 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F82FCB05531h 0x00000028 or ecx, 2B7DD5D6h 0x0000002e jmp 00007F82FCB05531h 0x00000033 popfd 0x00000034 pushfd 0x00000035 jmp 00007F82FCB05530h 0x0000003a jmp 00007F82FCB05535h 0x0000003f popfd 0x00000040 popad 0x00000041 nop 0x00000042 pushad 0x00000043 mov bh, ch 0x00000045 call 00007F82FCB05539h 0x0000004a pushad 0x0000004b popad 0x0000004c pop ecx 0x0000004d popad 0x0000004e sub esp, 1Ch 0x00000051 jmp 00007F82FCB0552Dh 0x00000056 xchg eax, ebx 0x00000057 jmp 00007F82FCB0552Eh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 mov edi, eax 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708D6 second address: 4C708DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708DC second address: 4C708EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708EE second address: 4C708F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708F2 second address: 4C708F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708F6 second address: 4C708FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708FC second address: 4C7091B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7091B second address: 4C7091F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7091F second address: 4C70923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70923 second address: 4C70929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70929 second address: 4C7092F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7092F second address: 4C70991 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F82FCE531FDh 0x00000015 sub ecx, 7D9FAF76h 0x0000001b jmp 00007F82FCE53201h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F82FCE53200h 0x00000027 adc eax, 785DFC98h 0x0000002d jmp 00007F82FCE531FBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70991 second address: 4C70997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70997 second address: 4C7099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7099B second address: 4C709C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCB05534h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C709C3 second address: 4C709D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C709D5 second address: 4C70A37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c mov cx, bx 0x0000000f popad 0x00000010 mov eax, dword ptr [76FAB370h] 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F82FCB05531h 0x0000001c add ecx, 72AA94F6h 0x00000022 jmp 00007F82FCB05531h 0x00000027 popfd 0x00000028 mov bx, cx 0x0000002b popad 0x0000002c xor dword ptr [ebp-08h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F82FCB05539h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70A37 second address: 4C70A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, ebp 0x0000000b jmp 00007F82FCE53207h 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov bx, B916h 0x00000018 mov eax, edx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70A70 second address: 4C70AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F82FCB0552Ch 0x00000011 nop 0x00000012 jmp 00007F82FCB05530h 0x00000017 lea eax, dword ptr [ebp-10h] 0x0000001a jmp 00007F82FCB05530h 0x0000001f mov dword ptr fs:[00000000h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 5FE994 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 7A46A1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 7A2E7C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 5FC2FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 82D478 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: F2E994 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 10D46A1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 10D2E7C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: F2C2FA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 115D478 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: 2890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 1F09CF80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 1F0B6910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 7000000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8000000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A6F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BEA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CEA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DEA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BDA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CDA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E670000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F670000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 6FC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E670000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 87C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CDA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E9B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: FC30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 11F70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 130B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 154F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 154F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 18130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 19130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 18130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 18130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1A550000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1B910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1B910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1B910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1D990000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1ED50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 217D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1ED50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 24A50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27150000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27150000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 287D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 297D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 29310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2AB90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B250000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C250000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E600000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Code function: 0_2_04CD04CD rdtsc

0_2_04CD04CD

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 569008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568091
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 561230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 570217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 565910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 553280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528725
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494287
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493667
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484414
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 481763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470865
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453041
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448951
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429587

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 916	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1198	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1135	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1186	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1092	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1931
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Window / User API: threadDelayed 8724
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4842
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1764
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Window / User API: threadDelayed 3824
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Window / User API: threadDelayed 1708
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6443

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VIvaPgF4HG0I5BUqITqbcGpt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ASNAP1v7gSBWUV4M24VeAq7L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OQgcqQkt9mj3bwxHnZIa4s8D.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Ip8wtphk0sq5W1G9S0yXoRhB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Dgwsf7w4EFU0DJenPeJFQ9dl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\IPYyjHxAPykR30zffbRrZF82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ZdJVnsAsGFXjRLisReQL9qeg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\U9sERAOeNr3mgv0e80M6A4fC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5RIkieBmHnRMmQ027PXhctux.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\KeaeBYEoeSKrt7OHYQWgw9KY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dCJ2FGsdDNOePKsle0wc5xjs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hi1aLhmXAS9IuYfXRpFgbtIN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4gHWYulKwwC9mAGusyg1bN2y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yqAccZXldjURDvuE02Wzx66b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CzkueZo2uibKMWVlxXuuuYuf.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5xs.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9MxwoVYUchzxPb9DWfXpxtIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\svrht.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HwacXgeZ7NROKRQE0PXEHrcz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c5Evvv7PYHJO6LpEaGq866pm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tIMIX6FhTytIBgdKnsKEeTL9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QeUXLRBK3hnXmDh6BxEoxRr1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vf0hhs68KGG55pTpbMQhmnEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\yWV9WwJcUosMiP7cfkSd3H82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dPOp3jG6cTg3qN9wSAMJoEyW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kqWcoPWge2lBBTisp4lafa9T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\56MSgzGjt7DCxuJwG3rlLC0n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\LqEGPBEKUCUhBDJKv5mRRgZQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\2Tou5zGna3sRH11GciMBbZgS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\2fZdJDwSJsgUfWXz4vfSCNc2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kJQmHVN1ymzFf6h1SAx9MRkd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\y37mD1IuO45o81MbxoPzuNXd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Lg7nSLwyiJZjUSW4G0qcX1yV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UD5c5lRW73IS3PFTwgbHbs5R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sAZX6pCAhoctp0pZlpHswGSQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\iPlB1qbFQFH1ftEutDuOvKvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\42aqT3i0exo8ClkJ9x9x76bj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xyMqBBjqvGfUL37YvYIuomy7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5xs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dAzTHvN7U1zbeiGER55JOdmD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\H5yNpx42S8IZUDziNao5NoiZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qk0x06I6JhykUr9FfyCqWusc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\mOkLcaTZpbuoAYzmfUDWaVew.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\U9TaXZF4Dtll7HWLvlflgS1k.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\a61Zt3kxeVox4lwkSb04Exqv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WwT2X5ly4j7TYqCo1DiUNFVe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NrlBY7PHizkvtumpXDF2ZwbO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\anYrNMf7BkK2nQqzIYyWir6K.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\reXPhdY9Ai5nG5RYgYEblrOi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NjV6zIGZdVX0WeB8KyD9vVQX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\cPV2bRPfjMzAHIg1WdlvEFuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\CW6I446Upi6pRJwdKk7DKik9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Xf0R0h4D02qlmSsaNEARsgAC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tlTbd0P2iK6BETIro6KxfVNb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xiBUq473AMEj3R5tdfFowrHB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LfTUXDPwxqflzUdNce50hrbG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ME586VT0sUE29Jo7X6zYQs1O.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.2\run.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\UiQzdb0JuVAuKhgIqFvM40tD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\E2J4txsMwXF0FC1lSl4LeyeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dr1rk0EffiWHIOEoIM0y02vz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bR4U6XYd9TFO6UTaUKN5r2h6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\PhNOluqeDQNAgQ6pyogubEva.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5xs.2\run.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\YmRHdVjMjWfgOGnmlpMeFk3W.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OcXMLXs1I7uPacTR3wj6FpuO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\KD4MGqBmnl5yi0hAsXLSbdSy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ndb0fcrEXTitnmEiCwbBu17x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\mFxRdQLZpyvaCG50kC1Vvtgm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\e9hVvSYXlP0xhhVB1Cn6Pgop.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	API coverage: 1.4 %
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	API coverage: 9.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2472	Thread sleep count: 916 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2472	Thread sleep time: -1832916s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2436	Thread sleep count: 1198 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2436	Thread sleep time: -2397198s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2452	Thread sleep count: 1135 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2452	Thread sleep time: -2271135s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2448	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4256	Thread sleep count: 156 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4256	Thread sleep time: -312156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6112	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6112	Thread sleep time: -1320000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2860	Thread sleep count: 1078 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2860	Thread sleep time: -2157078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7044	Thread sleep time: -2520000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5328	Thread sleep count: 1186 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5328	Thread sleep time: -2373186s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5496	Thread sleep count: 1092 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5496	Thread sleep time: -2185092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2952	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1896	Thread sleep count: 1931 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1896	Thread sleep time: -1931000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 4080	Thread sleep count: 8724 > 30
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 4080	Thread sleep time: -261720000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 1784	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 5532	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6688	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 10092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 10092	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe TID: 3356	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe TID: 5016	Thread sleep count: 1708 > 30
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe TID: 5016	Thread sleep time: -10248000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7528	Thread sleep count: 6443 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599151s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599019s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5504	Thread sleep time: -3600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598395s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598136s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598010s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -595735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -595110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -594672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -594297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -593924s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -593650s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -588485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -588047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -585610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -584482s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -584001s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -583566s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -581180s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -579907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -579213s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -578558s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -576227s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -575071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -574719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -574363s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -573972s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -573524s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -569008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -568477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -568091s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -567712s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -567304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -564156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -563515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -563060s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -562656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -562031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -561230s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -560740s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -559959s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -559279s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599235s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -595224s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -594687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -593989s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -590922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -589890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -589062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -588343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -585015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -583343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -579734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -578890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -578125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -575015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -574359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -573455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -570217s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -568866s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -565910s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -564906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -564067s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -563398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -562624s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -559349s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -558560s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -554232s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -553280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -552405s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -549452s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -548247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -544191s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -543358s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -542608s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -539716s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -538622s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -537853s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -530188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -528725s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -527910s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -524915s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -524165s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -523269s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -518125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -517373s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -516573s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -516084s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -515540s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -514997s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -514430s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -514150s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513870s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513352s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513096s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -512830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -512455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -512144s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511847s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511596s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511136s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -509687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -509250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508788s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508585s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508132s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507681s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507246s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507043s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506808s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506384s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506144s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505417s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505120s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -503427s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -502623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -502366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -502163s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501928s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501708s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501242s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501040s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500847s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500631s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500351s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500162s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -499945s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -499677s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -494287s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -494052s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493856s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493667s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493480s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -492831s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -492549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -490234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489974s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488602s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488164s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -487820s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -487600s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -487304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -486694s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -485305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -485102s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484914s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484414s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484197s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484025s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483681s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483431s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483147s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482932s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482768s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482599s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482383s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482032s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -481763s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -479507s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -479012s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478643s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478424s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -477118s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476967s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476767s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476548s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476352s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476155s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -475973s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -475786s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -475552s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -474046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473745s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473292s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473082s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472692s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472504s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472382s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472200s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471834s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471661s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471462s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470865s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470677s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470351s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470143s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -468363s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467817s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467621s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467457s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467301s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467098s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466887s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466478s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465899s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465739s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465491s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465147s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464678s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464451s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464224s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464093s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463920s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463748s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463589s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463430s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463209s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462965s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462744s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462523s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462346s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462214s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462012s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461869s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461482s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461278s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461073s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460949s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460601s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460192s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460004s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459754s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459602s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459428s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459021s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458504s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458332s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458165s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457838s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457666s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457505s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457326s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456837s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456618s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456446s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456133s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455945s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455742s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455544s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455356s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455185s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454822s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454665s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454447s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454244s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454057s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453714s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453555s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453383s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453215s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453041s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452872s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452731s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451889s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451731s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451340s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450996s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450834s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450660s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450488s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450326s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450099s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449941s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449752s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449614s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449465s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449318s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449115s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448951s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448614s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448426s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448108s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447944s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447282s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446887s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446417s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446229s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445856s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445690s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445518s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445353s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445184s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445027s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444884s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444742s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444587s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444196s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444035s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443856s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443590s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443448s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443074s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442931s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442775s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442494s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441684s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441559s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440808s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440396s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440262s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439728s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439423s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439131s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438952s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438373s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437903s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437739s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437539s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437389s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437224s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437049s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436877s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436716s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436530s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436325s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436164s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435961s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435832s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -434297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -434102s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433916s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433744s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433519s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433347s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433198s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433057s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432885s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432729s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432336s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432192s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431835s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431702s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431060s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430882s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430617s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430466s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430169s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430011s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -429884s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -429743s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -429587s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7616	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe TID: 7108	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe TID: 7108	Thread sleep time: -30000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012DB5E FindFirstFileExW,	22_2_0012DB5E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041D8B1 FindFirstFileExA,	24_2_0041D8B1
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BADB18 FindFirstFileExA,	24_2_01BADB18

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_000F72F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

22_2_000F72F0

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 569008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568091
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 561230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 570217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 565910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 553280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528725
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494287
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493667
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484414
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 481763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470865
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453041
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448951
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429587

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: rundll32.exe, 00000006.00000002.5624870860.00000162366F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5462964818.00000162366F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7y
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: netsh.exe, 0000000A.00000003.2168020817.0000022389745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: ISetup8.exe, 00000018.00000003.2648636393.00000000037A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user-PC\user00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}79]
Source: U8uFcjIjAR.exe, U8uFcjIjAR.exe, 00000000.00000002.2056986707.0000000000786000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, explorha.exe, 00000003.00000002.2114436848.00000000010B6000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU_HARDU
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: ISetup8.exe, 00000018.00000002.3746524697.0000000003781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDataBP1
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: ISetup8.exe, 00000018.00000003.2648279558.000000000379D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegAsm.exe, 00000008.00000002.2375987946.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tvZbQLJnTojSZZhIosgZtHxrhGfslLXyZsG9dOOl
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfsP
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: U8uFcjIjAR.exe, 00000000.00000002.2056986707.0000000000786000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, 00000003.00000002.2114436848.00000000010B6000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: rundll32.exe, 00000006.00000002.5624870860.00000162366F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5462964818.00000162366F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5462964818.00000162366B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.5624870860.00000162366B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2365829298.0000000001379000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2365829298.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2673195541.00000220AD837000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628124463.00000220AD83A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2720427105.00000220AD839000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628585388.00000220AD8DA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4777581729.0000000000C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: 11VBoxSFWINDIRWD
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5959325242.0000000001E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: aryvmcixn-SR-%W
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: u1eg.0.exe, 00000020.00000002.5887240245.0000000001DDB000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareS
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: tVMSrvcs\|!
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4087228479.0000000002854000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: jok.exe, 00000017.00000002.6618718835.0000000006113000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5782638468.000000000108A000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3825242603.00000000037AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\HGFS`
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: ISetup8.exe, 00000018.00000002.3746956983.00000000037A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Code function: 0_2_04CD04CD rdtsc

0_2_04CD04CD

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_00126B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

22_2_00126B6B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0011C08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_0011C08C

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012A292 mov eax, dword ptr fs:[00000030h]	22_2_0012A292
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012661B mov eax, dword ptr fs:[00000030h]	22_2_0012661B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_004139E7 mov eax, dword ptr fs:[00000030h]	24_2_004139E7
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9092B mov eax, dword ptr fs:[00000030h]	24_2_01B9092B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B90D90 mov eax, dword ptr fs:[00000030h]	24_2_01B90D90
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BA3C4E mov eax, dword ptr fs:[00000030h]	24_2_01BA3C4E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9B47B push dword ptr fs:[00000030h]	24_2_01C9B47B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_00415DC0 mov eax, dword ptr fs:[00000030h]	28_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0012EDB4 GetProcessHeap,

22_2_0012EDB4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010D2DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0010D2DC
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00126B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00126B6B
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010DCAA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0010DCAA
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010DE0F SetUnhandledExceptionFilter,	22_2_0010DE0F
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00409A73
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409C06 SetUnhandledExceptionFilter,	24_2_00409C06
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00409EBE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0041073B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BA09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_01BA09A2
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_01B9A125
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_01B99CDA
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99E6D SetUnhandledExceptionFilter,	24_2_01B99E6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_00419DC7 SetUnhandledExceptionFilter,	28_2_00419DC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00417B4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_004173DD

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 193.233.132.56 80

.NET source code references suspicious native API functions

Source: swiiiii[1].exe.2.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "FreeConsole")
Source: swiiiii[1].exe.2.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "VirtualProtectEx")
Source: file300un[1].exe.2.dr, --------.cs	Reference to suspicious API methods: LoadLibrary(_FBD0(._0658_060C_0612_06EB_FBCF_0602_FBC4_060F))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Code function: 5_2_030A2179 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

5_2_030A2179

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: demonstationfukewko.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: liabilitynighstjsko.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: alcojoldwograpciw.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: incredibleextedwj.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: shortsvelventysjo.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: shatterbreathepsw.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: tolerateilusidjukl.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: productivelookewr.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E89008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8D0008
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: CDE008
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 449000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 30E008
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58E000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 590000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11B2008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe "C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 924
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4764 -ip 4764
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1500
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7452 -ip 7452
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 372
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe "C:\Users\user\AppData\Local\Temp\u1eg.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe "C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Process created: unknown unknown

Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S
Source: U8uFcjIjAR.exe, U8uFcjIjAR.exe, 00000000.00000002.2056986707.0000000000786000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, explorha.exe, 00000003.00000002.2114436848.00000000010B6000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: "cProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0010DE96 cpuid

22_2_0010DE96

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042086B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_004170F1
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_004201F6
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_004201AB
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_00420291
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042031E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_004174E4
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_0042056E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_00420697
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_0041FF33
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_0042079E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_01BB019A
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_01BB08FE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BA7358
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_01BB0AD2
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BB0A05
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BB04F8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BB0412
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BB045D
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BB07D3
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BB07D5
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BA774B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	28_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\EEGWXUHVUG.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\GRXZDKKVDB.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000232001\toolspub1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0010E0DB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

22_2_0010E0DB

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_000F5370 RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,

22_2_000F5370

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_00132467 _free,_free,_free,GetTimeZoneInformation,_free,

22_2_00132467

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_000F72F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

22_2_000F72F0

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000008.00000002.2365829298.0000000001389000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2365829298.000000000139F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4027928722.0000000000856000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4027928722.0000000000829000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4335321539.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4354741853.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4312885472.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4393166624.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4312885472.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4350856050.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4306903773.00000000013C2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 22.2.NewB.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.NewB.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.explorha.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.NewB.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U8uFcjIjAR.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2008024339.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2185755705.00000000000F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2056893709.0000000000591000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2068811199.0000000005170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2114352567.0000000000EC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2163610918.00000000000F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2191122983.00000000000F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2070512533.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll, type: DROPPED

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: podaw.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7580, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.jok.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2187097797.0000000000222000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000031F000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\jok[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4714052350.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000444000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ElectrumA
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000140D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: (Awindow-state.jsonA5A
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.walletY)A%appdata%\Exodus\exodus.walletAkeystore>
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000140D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\Binance%appdata%\Binance
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/EthereumAG%>
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/CoinomiC:\Users\user\AppData\Local\Coinomi\Coinomi\walletsY)A%localappdata%\Coinomi\Coinomi\walletsA*A5A
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.walletY)A%appdata%\Exodus\exodus.walletAkeystore>
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/Ledger Live{4AC:\Users\user\AppData\Roaming\Ledger Live,Y)A%appdata%\Ledger Live
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\MwihEzlHtrgqoyjYUHGNOXMtUFaLJGGhbyfFCcOqTCPZbdsbAnXdQ\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000066001\.purple\accounts.xml	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Searches for user specific document files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Directory queried: number of queries: 1399

Yara detected Credential Stealer

Source: Yara match	File source: 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jok.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: podaw.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: podaw.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7580, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.jok.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2187097797.0000000000222000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000031F000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\jok[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4714052350.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000444000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0011E044 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	22_2_0011E044
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_000F2500 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	22_2_000F2500
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0011ED3B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	22_2_0011ED3B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.150.207	unknown	United States	13335	CLOUDFLARENETUS	false
40.126.24.149	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
176.97.76.106	unknown	United Kingdom	43658	INTRAFFIC-ASUA	false
193.233.132.56	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
193.233.132.234	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.150	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.21.11.250	unknown	United States	13335	CLOUDFLARENETUS	false
116.202.23.44	unknown	Germany	24940	HETZNER-ASDE	false
104.21.79.77	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.31.124	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.67.211	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
52.143.157.84	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.44.201.207	unknown	United States	20940	AKAMAI-ASN1EU	false
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.86.106	unknown	United States	13335	CLOUDFLARENETUS	false
104.20.3.235	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.84.71	unknown	United States	13335	CLOUDFLARENETUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.197.33	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	true
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.193.79	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.19.24	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.218.63	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.76.57	unknown	United States	13335	CLOUDFLARENETUS	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
pillowbrocccolipe.shop	true
worryfillvolcawoi.shop	true
diskretainvigorousiw.shop	true
5.252.22.216:44356	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: U8uFcjIjAR.exe

Avira: detected

Found malware configuration

Source: 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["5.252.22.216:44356"], "Bot Id": "2608kleyvsnet", "Authorization Header": "5fbb2db54ba05b2223e91d7545647809"}
Source: 8.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "affordcharmcropwo.shop"], "Build id": "LGNDR1--ketamine"}
Source: 22.2.NewB.exe.f0000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\2H2iULi73jPqktFJ6OepOola.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\2H2iULi73jPqktFJ6OepOola.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\2N7xiUcqYcPt4XwwaXd6aBnt.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\2N7xiUcqYcPt4XwwaXd6aBnt.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\2xEk595iCLChQEIkapYMtg4d.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\2xEk595iCLChQEIkapYMtg4d.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\38jnFT91OuswY7e76EHimubt.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\38jnFT91OuswY7e76EHimubt.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\5fqYYoyWfgcx2hRWq28g7nNF.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\5fqYYoyWfgcx2hRWq28g7nNF.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\5j4vJucQDJ5dRUHs8KgbU6zE.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\5j4vJucQDJ5dRUHs8KgbU6zE.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\5mXUxo0CobvbEjsxN58lv8JE.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\5mXUxo0CobvbEjsxN58lv8JE.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\6NJQIAQREgE8pnH0Tc3vNghh.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\6NJQIAQREgE8pnH0Tc3vNghh.exe	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	Virustotal: Detection: 21%	Perma Link

Multi AV Scanner detection for submitted file

Source: U8uFcjIjAR.exe	Virustotal: Detection: 56%			Perma Link
Source: U8uFcjIjAR.exe	ReversingLabs: Detection: 52%

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Machine Learning detection for sample

Source: U8uFcjIjAR.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ging
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: n\|
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 32.2.u1eg.0.exe.400000.0.raw.unpack	String decryptor: login:
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: pillowbrocccolipe.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: communicationgenerwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: diskretainvigorousiw.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: affordcharmcropwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: dismissalcylinderhostw.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: enthusiasimtitleow.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: worryfillvolcawoi.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: cleartotalfisherwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: affordcharmcropwo.shop
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 8.2.RegAsm.exe.400000.0.unpack	String decryptor: LGNDR1--ketamine
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: 185.172.128.19
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /ghsdh39s/index.php
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: S-%lu-
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: cd1f156d67
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Utsysc.exe
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SCHTASKS
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /TR "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Startup
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: rundll32
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /Delete /TN "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Programs
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: %USERPROFILE%
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: http://
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: https://
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /Plugins/
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: &unit=
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: shell32.dll
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: kernel32.dll
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ProgramData\
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: AVAST Software
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Kaspersky Lab
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Panda Security
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Doctor Web
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: 360TotalSecurity
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Bitdefender
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Norton
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Sophos
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Comodo
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: WinDefender
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: 0123456789
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ------
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ?scr=1
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ComputerName
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: -unicode-
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: VideoID
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: ProductName
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: CurrentBuild
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: " /P "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: CACLS "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: :R" /E
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: :F" /E
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: &&Exit
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: rundll32.exe
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: "taskkill /f /im "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: " && timeout 1 && del
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: && Exit"
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: " && ren
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: Powershell.exe
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: shutdown -s -t 0
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: /w']fC
Source: 22.2.NewB.exe.f0000.0.unpack	String decryptor: vw(hF=

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004162C7 CryptUnprotectData,	8_2_004162C7
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233BE70 CryptUnprotectData,	23_2_0233BE70
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233C3D3 CryptUnprotectData,	23_2_0233C3D3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 4764, type: MEMORYSTR

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Unpacked PE file: 24.2.ISetup8.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Unpacked PE file: 32.2.u1eg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Unpacked PE file: 47.2.CpqmTFb0JovJ1ZbssYgoEukK.exe.400000.0.unpack
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Unpacked PE file: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack

Uses 32bit PE files

Source: U8uFcjIjAR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: mozglue.pdbP source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: nss3.pdb@ source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: mozglue.pdb source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: {!C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: C:\1ej6jx007\Body.pdb source: alexxxxxxxx.exe, 00000032.00000000.2565956379.000000000030B000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jfesawdr.exe, 00000021.00000000.2355046369.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, jfesawdr.exe, 00000021.00000003.2364643272.0000000006E46000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000003.2367292935.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000002.2550287078.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, work.exe, 0000002A.00000002.5607567766.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp, work.exe, 0000002A.00000000.2382750085.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: Loader.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Q!C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: fMC:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Directory queried: number of queries: 1399

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012DB5E FindFirstFileExW,	22_2_0012DB5E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041D8B1 FindFirstFileExA,	24_2_0041D8B1
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BADB18 FindFirstFileExA,	24_2_01BADB18

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi]	8_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	8_2_004162C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	8_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	8_2_00409BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc edi	8_2_00402CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	8_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	8_2_00411007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_00424038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+10h]	8_2_004210E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	8_2_004110A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	8_2_004231D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ecx	8_2_00414190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+54h]	8_2_004171A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+000000BCh]	8_2_0041B230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	8_2_004122E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_004232E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_00422355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	8_2_004183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_0042E3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_004223FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	8_2_00423381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	8_2_00414397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	8_2_00421418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	8_2_0042342A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	8_2_00422328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h	8_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_00402620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	8_2_0041D634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+74h]	8_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	8_2_004206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004226A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004226A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_00421770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+08h], edx	8_2_0041D878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00421FEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	8_2_0041F94E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	8_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esi+000000D4h]	8_2_00420A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	8_2_00433A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	8_2_0041DBCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h	8_2_00433A95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	8_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	8_2_0040DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_0041FFD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00421FF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	8_2_00423FF3
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	23_2_023A5AA0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 4x nop then jmp 023A5481h	23_2_023A51C0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	23_2_023A58F7

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 193.233.132.56 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor	URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor	URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor	URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor	URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor	IPs: 185.172.128.19
Source: Malware configuration extractor	URLs: 5.252.22.216:44356

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: xxxvQ222Muur7IAhJFO2josf.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: qxBJ9q7JFSujxnUh8qc7NeOo.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: KxxYgtSXXYBdt8WEqc8cz7ko.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: SFikDJwNMJxgFTwKZA4lZsP0.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: edp3oPwo77sX93prOjhnnm7f.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: O9XmeM92fKONDftmgyRaFliB.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: wwnqRXQsqOwsfHiXwyXHy36k.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: TluJPFR20Cizqk9QCeZ4f6Wn.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: valG8sjMrHqezgFOb9xfgsjM.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: KImI36TC1Y7rGZ5UkRKOyITD.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: hBG4JWy9UHJZLtiCZWmjck9Q.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: jbLETzz7C0GBJ2a9yv4MjoYb.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: hMGf7FJgQbefAorbqBxMGDZP.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: IFHfRfJdw1mqQCHZWR8f3Vkv.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: Ov5ij7qPcC9pQIWxjxMSsuFg.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: TOVomg3JhzM1hDeL6OH8S3j4.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: ohTgVe16YIJposWY9rBcMWQt.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: jvyyUuPRRkaqGCtIkwRw4Z1Q.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: soJYu58T815PAMbVZEi3FqAj.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: pkTvRQbqxGJDEvP7qn2hNX7G.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: IuSz2b3gScKM1g5aUyC8xIoo.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: maw0QWL9For4QfobCLCbl1L1.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: dLUPpAAtiEoWEQUBQv1GxQM3.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: tOnhkleN9bZiXdFSaCNnUUUo.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: SPYvPkIgJ1TpTR0wYPcX8Kzy.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: fsVNTOPIZjvyyKLUfdVpOR4A.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: iVaytSUSPGL5LKFxhJGT9AxZ.exe.36.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: CP9gGCLZql6Z3VnxUgaovlrP.exe.36.dr

Found Tor onion address

Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: .P19152c2014093e313d075d110f3d082e50http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7SELECT Name FROM Win32_ProcessorIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6SESSIONNAME=ConsoleUSERDOMAIN=user-PCwindir=C:\WindowsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntel
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D10A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:C:\Windowshttps://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7FirstInstallDateS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7SeDebugPrivilege
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Yara detected Generic Downloader

Source: Yara match	File source: 29.2.file300un.exe.1f09e9e81c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.file300un.exe.1f09e9eac30.2.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

22_2_000FA0F9

Source: u1eg.0.exe, 00000020.00000002.5885291735.0000000001DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll2
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll&
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dllF&y
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dlld
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll)
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll:
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dllZ&e
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php(
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php-fulluser-l1-1-0F
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php.
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php4997f6a61d8485d9c328da3e7b57-release85746faab393cc2fce814
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php9
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php:
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php;
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpJ
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpK
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php_
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpc
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpd
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpg
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpk
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpm
Source: u1eg.0.exe, 00000020.00000002.6046545365.0000000028431000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpv
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpw
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpx
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003119000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E42000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003446000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000333B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003216000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exep
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003503000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/thterh.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/thterh.exe4k2
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/
Source: rundll32.exe, 00000006.00000003.5462964818.00000162366D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.5624870860.00000162366D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1
Source: rundll32.exe, 00000006.00000002.5624870860.00000162366D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1(
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1es
Source: rundll32.exe, 00000006.00000002.5627211593.0000016238630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1s
Source: rundll32.exe, 00000006.00000003.5462964818.00000162366D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.5624870860.00000162366D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpRXS
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D10A000.00000004.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionS-1-5-21-2246122658-3693405117-
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i5
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/73eed764cc59dcb.php
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/73eed764cc59dcb.phpK
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/73eed764cc59dcb.phps
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dll
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dllCG
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dllUGy
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dlled764cc59dcb.php
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dlll
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/84bad7132df89fd7/sqlite3.dllqG
Source: RegAsm.exe, 0000001C.00000002.4714052350.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4714052350.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php0
Source: RegAsm.exe, 0000001C.00000002.4714052350.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php8cInm6YOSJ.exe
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php?
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/c73eed764cc59dcb.php_
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/lick-to-Run
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.143.157.84/ows
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000013.00000002.4628223340.00000220AD878000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2567305333.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000013.00000003.2413038443.00000220AD8EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 00000013.00000002.4629121137.00000220AE64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2765663536.00000220AE649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000013.00000002.4629121137.00000220AE64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2224062977.00000220AE643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2765663536.00000220AE649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_300d
Source: svchost.exe, 00000013.00000002.4629016546.00000220AE610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_en
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.g
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: InstallUtil.exe, 00000024.00000002.6796207764.00000000077BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: svchost.exe, 00000013.00000003.4619932120.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621596622.00000220AE16D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasiUTF-8.o
Source: svchost.exe, 00000013.00000003.4621648469.00000220AE17A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622428272.00000220AE17C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/o
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-2otificationses
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: svchost.exe, 00000013.00000003.2652696986.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wX
Source: svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4617384128.00000220AD93D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621596622.00000220AE16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622428272.00000220AE17C000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000013.00000003.2378467071.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$
Source: svchost.exe, 00000013.00000003.4619774350.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd/01/oa
Source: svchost.exe, 00000013.00000003.2462299099.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266693606.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364487706.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364276148.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2409834425.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364449960.00000220AE109000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578070023.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621566741.00000220AE103000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2378467071.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2577996114.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2415234481.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578028401.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2403266723.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2566163243.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2410885025.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266967134.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2462203181.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2413674419.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2282837169.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2334206708.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000013.00000003.2281639286.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000013.00000003.2652696986.00000220AE182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcurit
Source: svchost.exe, 00000013.00000003.2192541064.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdfh
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdr
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdrithm
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621596622.00000220AE16D000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000013.00000003.2364449960.00000220AE109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd/www
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd://P
Source: svchost.exe, 00000013.00000003.2462299099.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266693606.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364487706.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364276148.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2409834425.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2364449960.00000220AE109000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578070023.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621566741.00000220AE103000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2378467071.00000220AE107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2577996114.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2415234481.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2578028401.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2403266723.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2566163243.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2410885025.00000220AE10F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2266967134.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2462203181.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2413674419.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2282837169.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2334206708.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000013.00000003.2281639286.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000013.00000003.2281639286.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000013.00000003.2567305333.00000220AE174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAB
Source: svchost.exe, 00000013.00000003.4619774350.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdcurit
Source: svchost.exe, 00000013.00000003.2652696986.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619774350.00000220AE182000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622123829.00000220AE184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdervic
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdithm
Source: svchost.exe, 00000013.00000003.2192541064.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
Source: svchost.exe, 00000013.00000003.4621674636.00000220AE176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622314515.00000220AE177000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672690474.00000220AE176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: svchost.exe, 00000013.00000002.4628649394.00000220AD8E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4629089698.00000220AE641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2765663536.00000220AE649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003583000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003446000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.com
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: powershell.exe, 00000014.00000002.5284850816.0000023D12EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: svchost.exe, 00000013.00000002.4629048958.00000220AE613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4629218503.00000220AE661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000345C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003294000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000330C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003187000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.00000000026EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pedomane.com
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.00000000026EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pedomane.com/file.exe
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: jok.exe, 00000017.00000002.5945962075.000000000072E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003372000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000333B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://realdeepai.org
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9$
Source: svchost.exe, 00000013.00000003.4620631095.00000220AE149000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4621914928.00000220AE14C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620577958.00000220AE145000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622234486.00000220AE14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620693805.00000220AE14A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620548829.00000220AE142000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622076548.00000220AE16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy502
Source: svchost.exe, 00000013.00000003.4620987072.00000220AE119000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620846448.00000220AE118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyce
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2379269011.00000220AE10E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2672780624.00000220AE199000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc4
Source: svchost.exe, 00000013.00000003.4621967475.00000220AE143000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620548829.00000220AE142000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scToken
Source: svchost.exe, 00000013.00000003.4621967475.00000220AE143000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620548829.00000220AE142000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scbQ=
Source: svchost.exe, 00000013.00000003.4620987072.00000220AE119000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4620846448.00000220AE118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sck=
Source: svchost.exe, 00000013.00000003.4620033033.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scult
Source: svchost.exe, 00000013.00000003.4619868306.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622050773.00000220AE165000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622076548.00000220AE16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628649394.00000220AD8E7000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: svchost.exe, 00000013.00000003.2672746288.00000220AE16E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.4622076548.00000220AE16F000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11621000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: jok.exe, 00000017.00000002.6178407982.00000000036FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15V
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002729000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.00000000026C7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002700000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: jok.exe, 00000017.00000002.6041581644.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6092687802.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000345C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003187000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179187786.00000220AE157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: RegAsm.exe, 00000008.00000002.2417012660.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apic
Source: RegAsm.exe, 00000008.00000002.2417012660.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apieJDz
Source: RegAsm.exe, 00000008.00000002.2417012660.00000000034D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apiwy
Source: RegAsm.exe, 00000008.00000002.2375987946.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/api
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12C4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000014.00000002.5284850816.0000023D12C4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000000.2187097797.0000000000222000.00000002.00000001.01000000.0000000F.sdmp, alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000031F000.00000004.00000001.01000000.00000020.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit?
Source: podaw.exe, 00000030.00000003.3027552501.000000000394C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: podaw.exe, 00000030.00000003.3027552501.000000000394C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: podaw.exe, 00000030.00000003.3027552501.000000000394C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000014.00000002.5284850816.0000023D11848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5284850816.0000023D12EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000014.00000002.5410538624.0000023D29A25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mi
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: podaw.exe, 00000030.00000003.3269853341.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4371518062.000000000141D000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4393351960.000000000141D000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4392954715.000000000136C000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4394012444.0000000003910000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3269500078.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4354646659.000000000141D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/
Source: podaw.exe, 00000030.00000002.4394012444.0000000003910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/M
Source: podaw.exe, 00000030.00000002.4394012444.0000000003910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/T
Source: podaw.exe, 00000030.00000003.4354741853.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3269853341.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3889259413.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4393166624.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3889639123.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3709110233.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3709244682.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4392954715.000000000136C000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4350856050.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3269500078.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.4371620305.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3779272175.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3779087424.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/api
Source: podaw.exe, 00000030.00000002.4392954715.000000000136C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/apihort
Source: podaw.exe, 00000030.00000003.3779272175.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3779087424.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incredibleextedwj.shop/apir
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1lyxz
Source: jok.exe, 00000017.00000002.6041581644.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6041581644.0000000002739000.00000004.00000800.00020000.00000000.sdmp, jok.exe, 00000017.00000002.5998303629.0000000000883000.00000004.00000020.00020000.00000000.sdmp, jok.exe, 00000017.00000002.6805197306.00000000070D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096
Source: jok.exe, 00000017.00000002.5998303629.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096.
Source: jok.exe, 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096E%
Source: jok.exe, 00000017.00000002.6618718835.000000000617D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/26d096T
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/privacy/
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/rules/
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com/7c01bdea43026295bd9dcdbc2f93c432/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comH
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.comHj
Source: NewB.exe, 0000000F.00000003.2449661997.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 0000000F.00000003.2415956432.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 0000000F.00000003.2415956432.0000000000A84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/7c01bdea43026295bd9dcdbc2f93c432/4767d2e713f2021e8fe856e3ea638b58.exe
Source: NewB.exe, 0000000F.00000003.2449661997.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/7c01bdea43026295bd9dcdbc2f93c432/4767d2e713f2021e8fe856e3ea638b58.exe$
Source: NewB.exe, 0000000F.00000003.2449661997.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, NewB.exe, 0000000F.00000003.2415956432.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/9dcdbc2f93c432/4767d2e713f2021e8fe856e3ea638b58.exe
Source: svchost.exe, 00000013.00000002.4629284784.00000220AE67F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfsrf
Source: svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000013.00000003.2673195541.00000220AD837000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628124463.00000220AD83A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2720427105.00000220AD839000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf3457
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628401468.00000220AD8A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000013.00000002.4629048958.00000220AE613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfssuer
Source: svchost.exe, 00000013.00000003.2673195541.00000220AD837000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628124463.00000220AD83A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2720427105.00000220AD839000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000013.00000003.2364134253.00000220AE15A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DiK70mt8cph
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179371122.00000220AE16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805023
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179722342.00000220AE156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806034
Source: svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806041
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179187786.00000220AE157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000013.00000003.2178902127.00000220AE12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179000146.00000220AE15A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178902127.00000220AE129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179026311.00000220AE152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf3
Source: svchost.exe, 00000013.00000003.2224062977.00000220AE643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srfe
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628649394.00000220AD8E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000013.00000002.4629284784.00000220AE67F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfityCRL
Source: svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628188243.00000220AD85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srfm
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000013.00000003.2179162997.00000220AE13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179315633.00000220AE163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000013.00000003.2179520754.00000220AE127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628152264.00000220AD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000013.00000003.2178980151.00000220AE110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: powershell.exe, 00000014.00000002.5284850816.0000023D12EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.5395052785.0000023D21691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003147000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/E0rY26ni
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop/
Source: RegAsm.exe, 0000002C.00000002.4027928722.0000000000856000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop/api
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop/apis
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://productivelookewr.shop:443/api
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f3
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b5
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d
Source: InstallUtil.exe, 00000024.00000002.5890381088.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d7
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe4k2
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000322F000.00000004.00000800.00020000.00000000.sdmp, LfTUXDPwxqflzUdNce50hrbG.exe.36.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 00000013.00000003.2179208263.00000220AE140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003225000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003519000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000333B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000346D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003216000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000315B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000304B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000318F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000319F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003513000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003330000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe4k2
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://statsexplorer.org
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D0DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6270082528.000000000D010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://statsexplorer.orghttps://statsexplorer.org
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: podaw.exe, 00000030.00000003.3766083236.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000005115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u1eg.0.exe, 00000020.00000002.5887832543.0000000001E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/about/dHh0
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u1eg.0.exe, 00000020.00000003.5101039014.000000002E4E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000447000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: InstallUtil.exe, 00000024.00000002.5890381088.000000000326D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003027000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000310C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003310000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E9A5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5770611236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: InstallUtil.exe, 00000024.00000002.5890381088.0000000003369000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.000000000342F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003357000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/redirect-

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0042AFE0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_0042AFE0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0042AFE0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_0042AFE0

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_0042B190

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6FC7.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6FE7.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.1.zip entropy: 7.99827140742	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\U9sERAOeNr3mgv0e80M6A4fC.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ndb0fcrEXTitnmEiCwbBu17x.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\YmRHdVjMjWfgOGnmlpMeFk3W.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ip8wtphk0sq5W1G9S0yXoRhB.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OcXMLXs1I7uPacTR3wj6FpuO.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bR4U6XYd9TFO6UTaUKN5r2h6.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\56MSgzGjt7DCxuJwG3rlLC0n.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kqWcoPWge2lBBTisp4lafa9T.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\anYrNMf7BkK2nQqzIYyWir6K.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\cPV2bRPfjMzAHIg1WdlvEFuz.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kJQmHVN1ymzFf6h1SAx9MRkd.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\LqEGPBEKUCUhBDJKv5mRRgZQ.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CW6I446Upi6pRJwdKk7DKik9.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\9MxwoVYUchzxPb9DWfXpxtIo.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hi1aLhmXAS9IuYfXRpFgbtIN.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NjV6zIGZdVX0WeB8KyD9vVQX.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yqAccZXldjURDvuE02Wzx66b.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ASNAP1v7gSBWUV4M24VeAq7L.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\H5yNpx42S8IZUDziNao5NoiZ.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CzkueZo2uibKMWVlxXuuuYuf.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2Tou5zGna3sRH11GciMBbZgS.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dr1rk0EffiWHIOEoIM0y02vz.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\E2J4txsMwXF0FC1lSl4LeyeC.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\U9TaXZF4Dtll7HWLvlflgS1k.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\c5Evvv7PYHJO6LpEaGq866pm.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\a61Zt3kxeVox4lwkSb04Exqv.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KD4MGqBmnl5yi0hAsXLSbdSy.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xyMqBBjqvGfUL37YvYIuomy7.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xiBUq473AMEj3R5tdfFowrHB.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\yWV9WwJcUosMiP7cfkSd3H82.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\mOkLcaTZpbuoAYzmfUDWaVew.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\QeUXLRBK3hnXmDh6BxEoxRr1.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ZdJVnsAsGFXjRLisReQL9qeg.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OQgcqQkt9mj3bwxHnZIa4s8D.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2fZdJDwSJsgUfWXz4vfSCNc2.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\y37mD1IuO45o81MbxoPzuNXd.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dPOp3jG6cTg3qN9wSAMJoEyW.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ME586VT0sUE29Jo7X6zYQs1O.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\iPlB1qbFQFH1ftEutDuOvKvu.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qk0x06I6JhykUr9FfyCqWusc.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\UiQzdb0JuVAuKhgIqFvM40tD.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NrlBY7PHizkvtumpXDF2ZwbO.exe entropy: 7.99600397135	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.1.zip entropy: 7.99827140742	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000018.00000002.3673494333.0000000001B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.3745565486.0000000001C9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.5887240245.0000000001DDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002F.00000002.3796487217.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002F.00000002.3796251216.0000000001D0B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

.NET source code contains very large array initializations

Source: swiiiii[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiii[1].exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088
Source: swiiii.exe.2.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088

PE file contains section with special chars

Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: U8uFcjIjAR.exe	Static PE information: section name: .idata
Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name: .idata
Source: explorha.exe.0.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004371C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004371C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004381B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004322C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004322C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004372F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004372F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00415300 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00415300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00438470 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00438470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004344DB NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004344DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437550 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00437550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004376C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004376C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004166A7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004166A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041B6AF NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041B6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004177E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004177E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00415B15 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00415B15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00419C00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00419C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423C16 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00423C16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00433CF7 NtOpenSection,	8_2_00433CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00416C80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00416C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00434D0A NtMapViewOfSection,	8_2_00434D0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00436E10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041EFD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00436FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00436FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004180C5 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004180C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00413145 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00413145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00430450 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00430450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437420 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00437420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00417670 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00417670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432600 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004136F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004136F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004328F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00421890 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004379E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432A50 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041BA3C NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041BA3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432B60 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00418B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00418B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DBF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_0041DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432C90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437D70 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432DA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00432DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00419E30 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00419E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00416E36 NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00416E36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423FF3 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	8_2_00423FF3
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010CC87 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	22_2_0010CC87

Creates files inside the system directory

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File created: C:\Windows\Tasks\explorha.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Code function: 5_2_02EC0E8F	5_2_02EC0E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401740	8_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00404AB0	8_2_00404AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041EFD0	8_2_0041EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042404C	8_2_0042404C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004301F0	8_2_004301F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004051B0	8_2_004051B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00403350	8_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040A300	8_2_0040A300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00411410	8_2_00411410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004064F0	8_2_004064F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00403740	8_2_00403740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00405700	8_2_00405700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004379E0	8_2_004379E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00406BF0	8_2_00406BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00420BFA	8_2_00420BFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437D70	8_2_00437D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DDB7	8_2_0041DDB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423F4D	8_2_00423F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00407FE0	8_2_00407FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423FF3	8_2_00423FF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FF8487921FA	20_2_00007FF8487921FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FF848790E35	20_2_00007FF848790E35
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_001330F8	22_2_001330F8
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00116283	22_2_00116283
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00138640	22_2_00138640
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_001116F3	22_2_001116F3
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_001376EB	22_2_001376EB
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0013780B	22_2_0013780B
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00132C60	22_2_00132C60
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00113EE2	22_2_00113EE2
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00127F10	22_2_00127F10
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00110F04	22_2_00110F04
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00136F99	22_2_00136F99
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0083DC74	23_2_0083DC74
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_02336268	23_2_02336268
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233A018	23_2_0233A018
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_02332041	23_2_02332041
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023396F8	23_2_023396F8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233F6E0	23_2_0233F6E0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233B518	23_2_0233B518
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_02335DC0	23_2_02335DC0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233E829	23_2_0233E829
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233A00B	23_2_0233A00B
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233DF10	23_2_0233DF10
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_0233B508	23_2_0233B508
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A5AA0	23_2_023A5AA0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A834C	23_2_023A834C
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2900	23_2_023A2900
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A7940	23_2_023A7940
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A51C0	23_2_023A51C0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A3E38	23_2_023A3E38
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1E28	23_2_023A1E28
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1650	23_2_023A1650
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A0728	23_2_023A0728
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023AC700	23_2_023AC700
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A3430	23_2_023A3430
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A6C10	23_2_023A6C10
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2480	23_2_023A2480
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A4590	23_2_023A4590
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A5A9B	23_2_023A5A9B
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A28F3	23_2_023A28F3
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A61E0	23_2_023A61E0
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1E19	23_2_023A1E19
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A1640	23_2_023A1640
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A0719	23_2_023A0719
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2FF8	23_2_023A2FF8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A342B	23_2_023A342B
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A0D80	23_2_023A0D80
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B16948	23_2_04B16948
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B17C20	23_2_04B17C20
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B10006	23_2_04B10006
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B10040	23_2_04B10040
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_04B17C10	23_2_04B17C10
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D267D8	23_2_05D267D8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D2A3E8	23_2_05D2A3E8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D23F50	23_2_05D23F50
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D2A3D8	23_2_05D2A3D8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D26FF8	23_2_05D26FF8
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D26FE8	23_2_05D26FE8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00427880	24_2_00427880
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040B8AE	24_2_0040B8AE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040C191	24_2_0040C191
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_004123A0	24_2_004123A0
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040F441	24_2_0040F441
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040C44C	24_2_0040C44C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042140C	24_2_0042140C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040BC20	24_2_0040BC20
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041BE39	24_2_0041BE39
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040BECA	24_2_0040BECA
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00408761	24_2_00408761
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041B722	24_2_0041B722
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0040C7FC	24_2_0040C7FC
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BAB989	24_2_01BAB989
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B989C8	24_2_01B989C8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9C131	24_2_01B9C131
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9C3F8	24_2_01B9C3F8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9BB15	24_2_01B9BB15
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB7AE7	24_2_01BB7AE7
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9CA63	24_2_01B9CA63
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9C6B3	24_2_01B9C6B3
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9F6A8	24_2_01B9F6A8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9BE87	24_2_01B9BE87
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BA2607	24_2_01BA2607

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B99F27 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B91BE3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01BB7A73 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B936F8 appears 184 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 01B91D46 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: String function: 0042780C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: String function: 0010DA42 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: String function: 0010E080 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: String function: 00108580 appears 137 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409160 appears 162 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408A40 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004043B0 appears 315 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580

PE file does not import any functions

Source: file300un.exe.2.dr	Static PE information: No import functions for PE file found
Source: file300un[1].exe.2.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: U8uFcjIjAR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000018.00000002.3673494333.0000000001B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.3745565486.0000000001C9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.5887240245.0000000001DDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002F.00000002.3796487217.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002F.00000002.3796251216.0000000001D0B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: swiiiii[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: U8uFcjIjAR.exe	Static PE information: Section: ZLIB complexity 0.998046875
Source: U8uFcjIjAR.exe	Static PE information: Section: jvalonlg ZLIB complexity 0.9945386046158519
Source: explorha.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998046875
Source: explorha.exe.0.dr	Static PE information: Section: jvalonlg ZLIB complexity 0.9945386046158519

Source: file300un[1].exe.2.dr, --------.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: file300un.exe.2.dr, --------.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@314/432@0/31

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

Code function: 24_2_01C9BB9E CreateToolhelp32Snapshot,Module32First,

24_2_01C9BB9E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00427EC8 CoCreateInstance,

8_2_00427EC8

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3580
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7452
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7600:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4764
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File created: C:\Users\user\AppData\Local\Temp\09fd851a4f

Jump to behavior

Source: Yara match	File source: 00000018.00000003.2807691606.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u1eg.3.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: eight	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: eight	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: @	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.90	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: Installed	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.203	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.59	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /timeSync.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /syncUpd.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /1/Package.zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .zip	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: \run.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: 185.172.128.228	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: /BroomSetup.exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Command line argument: .exe	24_2_01BB4C75

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: rundll32.exe, 00000006.00000002.5624870860.0000016236638000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000003.5014158653.000000002236E000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000003.5020952122.0000000001EB7000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3078548436.000000000391C000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000030.00000003.3026659621.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u1eg.0.exe, 00000020.00000002.6089375821.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000002.5998228928.000000001C293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: U8uFcjIjAR.exe	Virustotal: Detection: 56%
Source: U8uFcjIjAR.exe	ReversingLabs: Detection: 52%

Source: U8uFcjIjAR.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File read: C:\Users\user\Desktop\U8uFcjIjAR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U8uFcjIjAR.exe "C:\Users\user\Desktop\U8uFcjIjAR.exe"
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 924
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe "C:\Users\user\AppData\Local\Temp\u1eg.0.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe "C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4764 -ip 4764
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1500
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7452 -ip 7452
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe "C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe "C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 924
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4764 -ip 4764
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1500
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7452 -ip 7452
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 372
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe "C:\Users\user\AppData\Local\Temp\u1eg.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe "C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: U8uFcjIjAR.exe

Static file information: File size 1892864 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: U8uFcjIjAR.exe

Static PE information: Raw size of jvalonlg is bigger than: 0x100000 < 0x19ba00

Source:	Binary string: mozglue.pdbP source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: nss3.pdb@ source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: mozglue.pdb source: u1eg.0.exe, 00000020.00000002.6096699540.000000006885D000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\Anton\Desktop\UnionFiles\UnionFiles\obj\Debug\union.pdb source: alexxxxxxxx.exe, 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000C7A000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.00000000046B9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdbt source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: {!C:\toperusubal-zudenicurezu nof\39\kukego70\gada.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000000.2461943733.0000000000411000.00000002.00000001.01000000.0000001F.sdmp, 4767d2e713f2021e8fe856e3ea638b58.exe, 00000033.00000000.2469487126.0000000000411000.00000002.00000001.01000000.00000021.sdmp, rBkbJurNkGUDcfqWsMfUiKI9.exe.36.dr
Source:	Binary string: C:\1ej6jx007\Body.pdb source: alexxxxxxxx.exe, 00000032.00000000.2565956379.000000000030B000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jfesawdr.exe, 00000021.00000000.2355046369.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, jfesawdr.exe, 00000021.00000003.2364643272.0000000006E46000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000003.2367292935.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, jfesawdr.exe, 00000021.00000002.2550287078.0000000000D34000.00000002.00000001.01000000.00000017.sdmp, work.exe, 0000002A.00000002.5607567766.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp, work.exe, 0000002A.00000000.2382750085.00000000004C4000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: Loader.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Q!C:\riranux\jasihomey\22\kula.pdb source: ISetup8.exe, 00000018.00000000.2223502674.0000000000411000.00000002.00000001.01000000.00000011.sdmp, ISetup8.exe, 00000018.00000002.3745771138.0000000001CD4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.6369327107.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5890381088.0000000003487000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000000.2425786195.0000000000411000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: fMC:\pisinep.pdb source: ISetup8.exe, 00000018.00000003.2278245560.0000000003761000.00000004.00000020.00020000.00000000.sdmp, u1eg.0.exe, 00000020.00000000.2276301293.0000000000411000.00000002.00000001.01000000.00000016.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000003.2616193995.0000000003701000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000ACD000.00000040.00000001.01000000.0000001F.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.000000000450C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\tx2yxmt09kx\obj\Release\Croco.pdb source: swiiiii.exe, 00000005.00000002.3118995157.00000000030A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u1eg.0.exe, 00000020.00000002.6096225459.00000000641CF000.00000002.00000001.01000000.00000022.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Unpacked PE file: 0.2.U8uFcjIjAR.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 3.2.explorha.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jvalonlg:EW;ddmhcqjo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Unpacked PE file: 24.2.ISetup8.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Unpacked PE file: 32.2.u1eg.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Unpacked PE file: 47.2.CpqmTFb0JovJ1ZbssYgoEukK.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Unpacked PE file: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Unpacked PE file: 24.2.ISetup8.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Unpacked PE file: 32.2.u1eg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Unpacked PE file: 47.2.CpqmTFb0JovJ1ZbssYgoEukK.exe.400000.0.unpack
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Unpacked PE file: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack

Binary contains a suspicious time stamp

Source: jok[1].exe.2.dr

Static PE information: 0xFC177629 [Thu Jan 10 08:13:29 2104 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0011C08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_0011C08C

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

File is packed with WinRar

Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_3847187

PE file contains an invalid checksum

Source: U8uFcjIjAR.exe	Static PE information: real checksum: 0x1d1fe2 should be: 0x1d3851
Source: clip64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: swiiiii.exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: swiiii.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x32780
Source: explorha.exe.0.dr	Static PE information: real checksum: 0x1d1fe2 should be: 0x1d3851
Source: NewB[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: cred64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: swiiii[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x32780
Source: NewB.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: jok[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: cred64.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: swiiiii[1].exe.2.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: clip64[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: jok.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x547e4

PE file contains sections with non-standard names

Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: U8uFcjIjAR.exe	Static PE information: section name: .idata
Source: U8uFcjIjAR.exe	Static PE information: section name:
Source: U8uFcjIjAR.exe	Static PE information: section name: jvalonlg
Source: U8uFcjIjAR.exe	Static PE information: section name: ddmhcqjo
Source: U8uFcjIjAR.exe	Static PE information: section name: .taggant
Source: explorha.exe.0.dr	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name: .idata
Source: explorha.exe.0.dr	Static PE information: section name:
Source: explorha.exe.0.dr	Static PE information: section name: jvalonlg
Source: explorha.exe.0.dr	Static PE information: section name: ddmhcqjo
Source: explorha.exe.0.dr	Static PE information: section name: .taggant
Source: cred64[1].dll.2.dr	Static PE information: section name: _RDATA
Source: cred64.dll.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043E05C push ss; retf	8_2_0043E099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043CE48 push es; retn 0043h	8_2_0043CE49
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010E0C6 push ecx; ret	22_2_0010E0D9
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00103440 push ss; ret	22_2_00103447
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010DA1C push ecx; ret	22_2_0010DA2F
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_023A2FF8 push esp; iretd	23_2_023A3429
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Code function: 23_2_05D2ECF2 push eax; ret	23_2_05D2ED01
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042786C push ecx; ret	24_2_0042787C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042780C push eax; ret	24_2_0042782A
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0042E3A5 push esi; ret	24_2_0042E3AE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409D06 push ecx; ret	24_2_00409D19
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_004097B6 push ecx; ret	24_2_004097C9
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BAC9FD push esp; retf	24_2_01BAC9FE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BAC3FF push esp; retf	24_2_01BAC407
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB1B72 push dword ptr [esp+ecx-75h]; iretd	24_2_01BB1B76
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB7AD3 push ecx; ret	24_2_01BB7AE3
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99A1D push ecx; ret	24_2_01B99A30
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BB7A73 push eax; ret	24_2_01BB7A91
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99F6D push ecx; ret	24_2_01B99F80
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01CA0359 push 00000061h; retf	24_2_01CA0361
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9FA33 push 2B991403h; ret	24_2_01C9FA3A
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9FD49 pushad ; retf	24_2_01C9FD50
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9E530 push ecx; iretd	24_2_01C9E536
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9D49B pushad ; retf	24_2_01C9D49C
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01CA17BB push ebp; iretd	24_2_01CA17EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_004176C5 push ecx; ret	28_2_004176D8

Source: U8uFcjIjAR.exe	Static PE information: section name: entropy: 7.984361939949586
Source: U8uFcjIjAR.exe	Static PE information: section name: jvalonlg entropy: 7.953419678456497
Source: explorha.exe.0.dr	Static PE information: section name: entropy: 7.984361939949586
Source: explorha.exe.0.dr	Static PE information: section name: jvalonlg entropy: 7.953419678456497
Source: swiiiii[1].exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.2.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiii[1].exe.2.dr	Static PE information: section name: .text entropy: 7.987813915261593
Source: swiiii.exe.2.dr	Static PE information: section name: .text entropy: 7.987813915261593

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\svchost.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\svchost.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VIvaPgF4HG0I5BUqITqbcGpt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Hukfa3OXe0ABqVhMgk840KlD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ASNAP1v7gSBWUV4M24VeAq7L.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\SQz5qXC0XQfZInNOXxbOmSfU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yvu0DVxXmQgzDV8A7x4am1Ob.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\KMbSlAfByjkUF20UwkqxawkL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Dgwsf7w4EFU0DJenPeJFQ9dl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\U9sERAOeNr3mgv0e80M6A4fC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KeaeBYEoeSKrt7OHYQWgw9KY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\jfesawdr[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5j4vJucQDJ5dRUHs8KgbU6zE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\GRMRzFPp08Qf6xzoYXN3v0kJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\IJ5QGXKr1fcmeIhFX4JRmReR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\4qdN2NXKzWFa5hVG8lUhV5aV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\38jnFT91OuswY7e76EHimubt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\U4x5QYt9YvcW7ZavDfqoMzWn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CcVsAa1aPXP8AeP3n8DklXlW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\c5Evvv7PYHJO6LpEaGq866pm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\K6IMtUjnmbObbtDmmgp6S08R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\yWV9WwJcUosMiP7cfkSd3H82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dPOp3jG6cTg3qN9wSAMJoEyW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\eZIEOd6NiDhJgVNwtWcx59tv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ReZDyiSv1d9oc9RKQh1HoSU9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\SyhtUGQrnSlVAioQ4rVLOOjh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\56MSgzGjt7DCxuJwG3rlLC0n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\LqEGPBEKUCUhBDJKv5mRRgZQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\TVwptXCoO7sIbkrRhjbE2PZI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\YY0KEjD7nviDyOYS1Zel18Iz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\un2vphNUslz6zwbvA7PqkJW0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\DP1cSbadxSZ4GN4Plf6lDD5t.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Lg7nSLwyiJZjUSW4G0qcX1yV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\iPlB1qbFQFH1ftEutDuOvKvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xyMqBBjqvGfUL37YvYIuomy7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\dAzTHvN7U1zbeiGER55JOdmD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\H5yNpx42S8IZUDziNao5NoiZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2xEk595iCLChQEIkapYMtg4d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\qk0x06I6JhykUr9FfyCqWusc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\U9TaXZF4Dtll7HWLvlflgS1k.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\mOkLcaTZpbuoAYzmfUDWaVew.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\a61Zt3kxeVox4lwkSb04Exqv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\WwT2X5ly4j7TYqCo1DiUNFVe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\NrlBY7PHizkvtumpXDF2ZwbO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\reXPhdY9Ai5nG5RYgYEblrOi.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Q2ru8nMpr2nWW31YuPp81EFT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\cPV2bRPfjMzAHIg1WdlvEFuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NjV6zIGZdVX0WeB8KyD9vVQX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\bOup5lccxV9NOACTU5R4JYwk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2hzHYeaAvedtbB9n4Al5HAlc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\pcgtAOzZa16Vv8MI85WMELIz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Xf0R0h4D02qlmSsaNEARsgAC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\xiBUq473AMEj3R5tdfFowrHB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\LfTUXDPwxqflzUdNce50hrbG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\IyaFodsxs5gjaIKXcsBknvbB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\E2J4txsMwXF0FC1lSl4LeyeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\wtVMzXQafdDJfAuXHtN4Tdkn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\nx2O4pl6JsljvUYganpkaIuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\bR4U6XYd9TFO6UTaUKN5r2h6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\file300un[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\NxHsQz4fDCatJsgYrnTnuULR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\I7ensOQctg1uAjq6Ow7TzO7R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\yUP3tf3QnRZ1nTqTKGi8mWAl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5PRTInX0pnuXa8v8cOzJCXwY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\YmRHdVjMjWfgOGnmlpMeFk3W.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OcXMLXs1I7uPacTR3wj6FpuO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\itqn5NboFEwVdvQSHIzKZ5Tx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5uecEsXehJwba0CTpV7r5w9J.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KD4MGqBmnl5yi0hAsXLSbdSy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\FxfpxXMfHqygzvFNuTBvcdK4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\mFxRdQLZpyvaCG50kC1Vvtgm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Ip8wtphk0sq5W1G9S0yXoRhB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\OQgcqQkt9mj3bwxHnZIa4s8D.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2N7xiUcqYcPt4XwwaXd6aBnt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\2H2iULi73jPqktFJ6OepOola.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ISetup8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\rBkbJurNkGUDcfqWsMfUiKI9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\PCUjpeIbitNbH0tzJuyqcPfq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\IPYyjHxAPykR30zffbRrZF82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ZdJVnsAsGFXjRLisReQL9qeg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\5RIkieBmHnRMmQ027PXhctux.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\dCJ2FGsdDNOePKsle0wc5xjs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hi1aLhmXAS9IuYfXRpFgbtIN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\4gHWYulKwwC9mAGusyg1bN2y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\yqAccZXldjURDvuE02Wzx66b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\CzkueZo2uibKMWVlxXuuuYuf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\X8dw09DkWg2FUJZX2MdQYMIH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5mXUxo0CobvbEjsxN58lv8JE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\9MxwoVYUchzxPb9DWfXpxtIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\svrht.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\HwacXgeZ7NROKRQE0PXEHrcz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\tIMIX6FhTytIBgdKnsKEeTL9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\KcPMpaa1kOoC1gyGKob3dUMA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\QeUXLRBK3hnXmDh6BxEoxRr1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\pvnkK7ERSt002PLOO6PmWB6P.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\vf0hhs68KGG55pTpbMQhmnEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\6NJQIAQREgE8pnH0Tc3vNghh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ww7JDxmxaoQ9FUv9x8TKyKSY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\wDrZ6hfdUrkd3JgS0hjhg6UX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\oDbOgHc2o8C57zZ3j5h88raq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kqWcoPWge2lBBTisp4lafa9T.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2Tou5zGna3sRH11GciMBbZgS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2fZdJDwSJsgUfWXz4vfSCNc2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\w2LYT0LfpWsoNTZvweJklQve.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\2WfD0d98t0vvspmZtbNiMd3K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\m51WyQJV3lONT871iWetdwlO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\kJQmHVN1ymzFf6h1SAx9MRkd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\T3Qq4u2DRguTQUrxYHela5ZS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\y37mD1IuO45o81MbxoPzuNXd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\UD5c5lRW73IS3PFTwgbHbs5R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\sAZX6pCAhoctp0pZlpHswGSQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\4767d2e713f2021e8fe856e3ea638b58[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\42aqT3i0exo8ClkJ9x9x76bj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\JpNy2GKOfbQVVFOOPrMrSDYH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\Gyjybmuo0flsJ9dTOIsqJkOX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\jok[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\vDuCgf2Voaw2LLAsDp7A6309.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\anYrNMf7BkK2nQqzIYyWir6K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\hUntDTmBlfyZnFAi6sAPMqK9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\VkPnywQDA6u7BOwpwfjSJ67x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\CW6I446Upi6pRJwdKk7DKik9.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\tlTbd0P2iK6BETIro6KxfVNb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.2\run.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\ME586VT0sUE29Jo7X6zYQs1O.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\UiQzdb0JuVAuKhgIqFvM40tD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\wm7we8oXFjD0na8cInm6YOSJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\dr1rk0EffiWHIOEoIM0y02vz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\wYB5cGZirJjZJJPhntypmeFR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\Pictures\mwOimlTAau0yLmr8r4SRU8mq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\RPuSi7aHauEmoLNZJ0gygFsP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\PhNOluqeDQNAgQ6pyogubEva.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\5fqYYoyWfgcx2hRWq28g7nNF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File created: C:\Users\user\AppData\Local\Temp\u5xs.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Wbr3x69pcbSZtPyx0r9XirkL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u1eg.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\ndb0fcrEXTitnmEiCwbBu17x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\e9hVvSYXlP0xhhVB1Cn6Pgop.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F

Creates job files (autostart)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

File created: C:\Windows\Tasks\explorha.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Memory written: PID: 7732 base: 1310005 value: E9 8B 2F BE 75
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Memory written: PID: 7732 base: 76EF2F90 value: E9 7A D0 41 8A

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

22_2_0010C858

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 4764, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000030.00000002.4391865984.0000000000528000.00000020.00000001.01000000.0000001E.sdmp	Binary or memory string: SBIEDLL.DLL
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B1E4 second address: 77B1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B356 second address: 77B36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F82FCB0552Bh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B36E second address: 77B384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F82FCE531F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 je 00007F82FCE531F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B384 second address: 77B39F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007F82FCB05526h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B39F second address: 77B3BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53206h 0x00000007 jns 00007F82FCE531F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B3BF second address: 77B3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B3C5 second address: 77B3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B3C9 second address: 77B3D8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jg 00007F82FCB05526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B518 second address: 77B522 instructions: 0x00000000 rdtsc 0x00000002 js 00007F82FCE5320Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B522 second address: 77B556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05530h 0x00000009 pushad 0x0000000a jmp 00007F82FCB0552Fh 0x0000000f jno 00007F82FCB05526h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B556 second address: 77B568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F82FCE531FBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B568 second address: 77B572 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCB0552Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B6FB second address: 77B709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B709 second address: 77B70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B895 second address: 77B8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53206h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B8AF second address: 77B8B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B8B5 second address: 77B8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77B8BB second address: 77B8C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E7F5 second address: 77E7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E8E1 second address: 77E919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, eax 0x0000000e push 00000000h 0x00000010 je 00007F82FCB0552Ch 0x00000016 mov ecx, dword ptr [ebp+122D2934h] 0x0000001c call 00007F82FCB05529h 0x00000021 push eax 0x00000022 push edx 0x00000023 jns 00007F82FCB05528h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E919 second address: 77E91F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E91F second address: 77E923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E923 second address: 77E945 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e jmp 00007F82FCE531FAh 0x00000013 pop esi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E945 second address: 77E949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E949 second address: 77E960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnl 00007F82FCE531F6h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push esi 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E960 second address: 77E96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E96F second address: 77E973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77E973 second address: 77EA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F82FCB0552Fh 0x0000000b popad 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F82FCB05530h 0x00000013 mov dword ptr [ebp+122D1B53h], eax 0x00000019 popad 0x0000001a jnl 00007F82FCB0552Ch 0x00000020 push 00000003h 0x00000022 add esi, dword ptr [ebp+122D288Ch] 0x00000028 push 00000000h 0x0000002a mov si, di 0x0000002d push 00000003h 0x0000002f mov edx, 7439F5D1h 0x00000034 call 00007F82FCB05538h 0x00000039 mov esi, dword ptr [ebp+122D338Eh] 0x0000003f pop esi 0x00000040 push CD701F00h 0x00000045 jnc 00007F82FCB05531h 0x0000004b xor dword ptr [esp], 0D701F00h 0x00000052 mov ecx, dword ptr [ebp+122D2E0Dh] 0x00000058 lea ebx, dword ptr [ebp+124536B6h] 0x0000005e jo 00007F82FCB05537h 0x00000064 jmp 00007F82FCB05531h 0x00000069 xchg eax, ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c jno 00007F82FCB0552Ch 0x00000072 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77EAC2 second address: 77EB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F82FCE531FCh 0x0000000c nop 0x0000000d jmp 00007F82FCE531FEh 0x00000012 push 00000000h 0x00000014 and edx, dword ptr [ebp+122D28F8h] 0x0000001a call 00007F82FCE531F9h 0x0000001f jp 00007F82FCE531FAh 0x00000025 push eax 0x00000026 push edi 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a pop edx 0x0000002b pop edi 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 push ecx 0x00000031 jnc 00007F82FCE5320Dh 0x00000037 pop ecx 0x00000038 mov eax, dword ptr [eax] 0x0000003a jc 00007F82FCE53200h 0x00000040 jmp 00007F82FCE531FAh 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 jp 00007F82FCE531FEh 0x0000004f pop eax 0x00000050 sub dword ptr [ebp+122D1A19h], eax 0x00000056 push 00000003h 0x00000058 sub di, 548Ah 0x0000005d push 00000000h 0x0000005f add si, D65Eh 0x00000064 push 00000003h 0x00000066 jmp 00007F82FCE53202h 0x0000006b jp 00007F82FCE531FCh 0x00000071 xor dword ptr [ebp+122D2003h], ebx 0x00000077 push 8EA5613Ch 0x0000007c push eax 0x0000007d push edx 0x0000007e js 00007F82FCE531FCh 0x00000084 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77EC5B second address: 77EC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05538h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7914B2 second address: 7914BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7914BB second address: 7914CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F82FCB05526h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 765CA4 second address: 765CB7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F82FCE531FEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 765CB7 second address: 765CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCB0552Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 765CDD second address: 765CE9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F82FCE531F6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79E60F second address: 79E627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79E627 second address: 79E62B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79ED93 second address: 79EDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05537h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79EDB2 second address: 79EDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F189 second address: 79F18F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F18F second address: 79F1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE53200h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F5DE second address: 79F5FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F82FCB05539h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F5FD second address: 79F617 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F82FCE53202h 0x00000008 ja 00007F82FCE531F6h 0x0000000e ja 00007F82FCE531F6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79F617 second address: 79F61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79FFAB second address: 79FFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79FFAF second address: 79FFD9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F82FCB0552Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB05530h 0x00000012 jne 00007F82FCB05526h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79FFD9 second address: 79FFF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F82FCE531FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F82FCE531FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A0299 second address: 7A02C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05536h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB0552Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A02C2 second address: 7A02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A301D second address: 7A303B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F82FCB05531h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A375B second address: 7A375F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7A375F second address: 7A3765 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C872 second address: 76C878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C878 second address: 76C883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F82FCB05526h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C883 second address: 76C888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76C888 second address: 76C88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAEDA second address: 7AAEF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAEF0 second address: 7AAEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAEF4 second address: 7AAF04 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F82FCE531F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AAF04 second address: 7AAF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AB05F second address: 7AB065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AB065 second address: 7AB074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AB074 second address: 7AB089 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F82FCE53200h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD820 second address: 7AD86B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F82FCB05537h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 65A48257h 0x00000014 mov edi, dword ptr [ebp+122D2BA0h] 0x0000001a call 00007F82FCB05529h 0x0000001f jmp 00007F82FCB0552Bh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jng 00007F82FCB05526h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD86B second address: 7AD86F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD86F second address: 7AD875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD875 second address: 7AD87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD87B second address: 7AD87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD87F second address: 7AD8A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F82FCE53201h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD8A2 second address: 7AD8D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB0552Dh 0x00000008 jnl 00007F82FCB05526h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F82FCB05534h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD8D3 second address: 7AD8F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F82FCE53206h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD8F8 second address: 7AD8FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ADD82 second address: 7ADD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ADD88 second address: 7ADD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ADEE7 second address: 7ADF1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F82FCE531F6h 0x00000009 jmp 00007F82FCE53208h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edi 0x00000013 pushad 0x00000014 jmp 00007F82FCE531FBh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE435 second address: 7AE439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE517 second address: 7AE53C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F82FCE53207h 0x00000014 jmp 00007F82FCE53201h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE5B4 second address: 7AE5E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F82FCB05526h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 js 00007F82FCB05528h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F82FCB05537h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AE76B second address: 7AE778 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEA39 second address: 7AEA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007F82FCB05530h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEA4A second address: 7AEA64 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push esi 0x00000008 sub dword ptr [ebp+122D1ECDh], ecx 0x0000000e pop edi 0x0000000f xchg eax, ebx 0x00000010 jnp 00007F82FCE53209h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEFC2 second address: 7AEFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AEFC7 second address: 7AF04F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F82FCE53200h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 jmp 00007F82FCE531FBh 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F82FCE531F8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 push 00000000h 0x00000033 mov di, cx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F82FCE531F8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 call 00007F82FCE53202h 0x00000057 mov si, 9FB1h 0x0000005b pop edi 0x0000005c xchg eax, ebx 0x0000005d push edi 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AF04F second address: 7AF053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AF053 second address: 7AF06A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE531FDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B16C3 second address: 7B16C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B16C9 second address: 7B16CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B5C63 second address: 7B5C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05531h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B7C56 second address: 7B7C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B7C79 second address: 7B7C83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B9491 second address: 7B94E3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b movzx edi, di 0x0000000e mov ebx, dword ptr [ebp+122D29D0h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F82FCE531F8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov di, AA52h 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D19F0h], edi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 pop edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B94E3 second address: 7B94ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 764186 second address: 7641A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7641A7 second address: 7641AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BF8F3 second address: 7BF8FD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BEA0C second address: 7BEA16 instructions: 0x00000000 rdtsc 0x00000002 je 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BEA16 second address: 7BEA30 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jl 00007F82FCE531FCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C17AD second address: 7C181B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F82FCB05531h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F82FCB05528h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b or ebx, dword ptr [ebp+122D2884h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F82FCB05528h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d mov bl, 1Bh 0x0000004f push eax 0x00000050 push esi 0x00000051 pushad 0x00000052 push edx 0x00000053 pop edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7BEA30 second address: 7BEAC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007F82FCE531F8h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 and ebx, dword ptr [ebp+122D33B1h] 0x00000026 sub dword ptr [ebp+122D2777h], eax 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007F82FCE531F8h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 xor ebx, 34E8B9FFh 0x0000005a mov dword ptr [ebp+122D1E49h], ecx 0x00000060 mov eax, dword ptr [ebp+122D09C1h] 0x00000066 jo 00007F82FCE531F9h 0x0000006c mov di, bx 0x0000006f push FFFFFFFFh 0x00000071 mov edi, dword ptr [ebp+122D2B1Ch] 0x00000077 nop 0x00000078 jmp 00007F82FCE53200h 0x0000007d push eax 0x0000007e js 00007F82FCE53204h 0x00000084 push eax 0x00000085 push edx 0x00000086 pushad 0x00000087 popad 0x00000088 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C26F3 second address: 7C26F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C497B second address: 7C497F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C788A second address: 7C7891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C8EEB second address: 7C8F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, 032CDE96h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F82FCE531F8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D2E89h], ebx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F82FCE531F8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D1B8Ch], ecx 0x00000052 xchg eax, esi 0x00000053 jc 00007F82FCE53200h 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c pop esi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C293F second address: 7C2945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C2945 second address: 7C2956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C4A79 second address: 7C4A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C595E second address: 7C59E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F82FCE53201h 0x0000000c nop 0x0000000d je 00007F82FCE531FBh 0x00000013 sbb di, 9209h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f call 00007F82FCE531FEh 0x00000024 adc di, 7AF1h 0x00000029 pop edi 0x0000002a pushad 0x0000002b movsx esi, cx 0x0000002e mov di, 7792h 0x00000032 popad 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov edi, dword ptr [ebp+122D1EFFh] 0x00000040 mov eax, dword ptr [ebp+122D063Dh] 0x00000046 jg 00007F82FCE531F6h 0x0000004c push FFFFFFFFh 0x0000004e jp 00007F82FCE531F6h 0x00000054 nop 0x00000055 jp 00007F82FCE53206h 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e jmp 00007F82FCE531FCh 0x00000063 popad 0x00000064 push eax 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jg 00007F82FCE531F6h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C1994 second address: 7C19A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCB0552Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7C8076 second address: 7C807B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0B6F second address: 7D0B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0B7A second address: 7D0B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E16 second address: 7D0E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E1D second address: 7D0E27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E27 second address: 7D0E31 instructions: 0x00000000 rdtsc 0x00000002 je 00007F82FCB05526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E31 second address: 7D0E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F82FCE531F8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7D0E43 second address: 7D0E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD7BF second address: 7DD7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F82FCE531F8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD1E5 second address: 7DD1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD1EF second address: 7DD1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7DD396 second address: 7DD39D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E2979 second address: 7E297F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E297F second address: 7E29B5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F82FCB05526h 0x00000008 jmp 00007F82FCB05531h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F82FCB05539h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E29B5 second address: 7E29CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F82FCE531F6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E29CE second address: 7E29D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC1E3 second address: 7AC1EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F82FCE531F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC1EE second address: 7AC239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F82FCB05528h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D2EA0h] 0x0000002a lea eax, dword ptr [ebp+12480ED4h] 0x00000030 mov edx, 2F82D44Ah 0x00000035 nop 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F82FCB05530h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC78F second address: 7AC795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC795 second address: 7AC79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC79E second address: 7AC7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC7A2 second address: 7AC7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC7A6 second address: 5FE900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jp 00007F82FCE531F6h 0x00000010 pop edx 0x00000011 jmp 00007F82FCE531FEh 0x00000016 popad 0x00000017 nop 0x00000018 or dword ptr [ebp+122D17B6h], ecx 0x0000001e push dword ptr [ebp+122D1191h] 0x00000024 mov dword ptr [ebp+122D36BCh], edi 0x0000002a call dword ptr [ebp+122D1A39h] 0x00000030 pushad 0x00000031 stc 0x00000032 mov dword ptr [ebp+122D1A29h], ebx 0x00000038 xor eax, eax 0x0000003a mov dword ptr [ebp+122D1A29h], eax 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 js 00007F82FCE531FCh 0x0000004a mov dword ptr [ebp+122D1A29h], edx 0x00000050 mov dword ptr [ebp+122D2A8Ch], eax 0x00000056 mov dword ptr [ebp+122D1B53h], eax 0x0000005c mov esi, 0000003Ch 0x00000061 jmp 00007F82FCE53202h 0x00000066 jns 00007F82FCE531F7h 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D1A29h], ecx 0x00000076 lodsw 0x00000078 sub dword ptr [ebp+122D1B53h], ebx 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 jp 00007F82FCE531F7h 0x00000088 clc 0x00000089 jmp 00007F82FCE53209h 0x0000008e mov ebx, dword ptr [esp+24h] 0x00000092 mov dword ptr [ebp+122D1B53h], ebx 0x00000098 nop 0x00000099 pushad 0x0000009a push eax 0x0000009b push edx 0x0000009c jns 00007F82FCE531F6h 0x000000a2 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AC83C second address: 7AC842 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACA0F second address: 7ACA32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], esi 0x0000000d or dword ptr [ebp+122D26ACh], esi 0x00000013 nop 0x00000014 pushad 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b jc 00007F82FCE531FCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACAE6 second address: 7ACAEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACD08 second address: 7ACD13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F82FCE531F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7ACD13 second address: 7ACD18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD053 second address: 7AD07F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 and ecx, 23BA70D6h 0x0000000e push 0000001Eh 0x00000010 push ebx 0x00000011 mov edi, dword ptr [ebp+122D2A64h] 0x00000017 pop edi 0x00000018 nop 0x00000019 ja 00007F82FCE531FEh 0x0000001f js 00007F82FCE531F8h 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD352 second address: 7AD358 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD358 second address: 7AD35F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7AD470 second address: 795756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F82FCB0552Fh 0x0000000b nop 0x0000000c push eax 0x0000000d xor dword ptr [ebp+122D1B91h], edx 0x00000013 pop edx 0x00000014 sbb cl, 00000000h 0x00000017 call dword ptr [ebp+122D1BA4h] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 795756 second address: 79575A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 79575A second address: 795764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 795764 second address: 79576A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E1F63 second address: 7E1F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E23DD second address: 7E23E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E23E2 second address: 7E2405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jns 00007F82FCB0552Eh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007F82FCB05526h 0x00000017 popad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E2405 second address: 7E2430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F82FCE53207h 0x0000000e jmp 00007F82FCE531FBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E255B second address: 7E256B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76AD07 second address: 76AD11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76AD11 second address: 76AD17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76AD17 second address: 76AD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 773557 second address: 77356E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E831B second address: 7E8320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E8320 second address: 7E833B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F82FCB0553Dh 0x00000008 jmp 00007F82FCB05531h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E8610 second address: 7E8618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E8618 second address: 7E861E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E92C4 second address: 7E92CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7E92CC second address: 7E92D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007F82FCB0552Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1AD3 second address: 7F1AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1AD9 second address: 7F1AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F82FCB05526h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1AEC second address: 7F1B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53201h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1C2E second address: 7F1C42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05530h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1C42 second address: 7F1C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1C48 second address: 7F1C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1DA3 second address: 7F1DCE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F82FCE531FEh 0x0000000c pop edi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F82FCE53203h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1F38 second address: 7F1F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05532h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F21EC second address: 7F21FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jp 00007F82FCE531F6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F21FE second address: 7F2221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F82FCB05526h 0x0000000a jmp 00007F82FCB05538h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2221 second address: 7F222B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F82FCE531FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2987 second address: 7F29D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 js 00007F82FCB05526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F82FCB05536h 0x00000014 jmp 00007F82FCB0552Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F29D0 second address: 7F29D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F29D4 second address: 7F29D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F29D8 second address: 7F2A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007F82FCE531FEh 0x0000000e push edx 0x0000000f pop edx 0x00000010 jl 00007F82FCE531F6h 0x00000016 jmp 00007F82FCE53206h 0x0000001b pushad 0x0000001c jmp 00007F82FCE531FFh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E52 second address: 7F2E57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E57 second address: 7F2E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E5D second address: 7F2E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F2E65 second address: 7F2E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F82FCE531F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F16FE second address: 7F171D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007F82FCB0552Ch 0x0000000b jnl 00007F82FCB0552Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F171D second address: 7F1721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1721 second address: 7F1732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F82FCB05526h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F1732 second address: 7F174F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F174F second address: 7F1763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB0552Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F5E37 second address: 7F5E5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F82FCE53208h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F5E5D second address: 7F5E6C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F82FCB05528h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F5E6C second address: 7F5E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F82FCE531FBh 0x0000000e push edi 0x0000000f jmp 00007F82FCE53205h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F898A second address: 7F898E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F898E second address: 7F89A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE53200h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7F89A8 second address: 7F89AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB344 second address: 7FB349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB349 second address: 7FB353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB353 second address: 7FB385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F82FCE531FEh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F82FCE531FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F82FCE531FBh 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB385 second address: 7FB38D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB38D second address: 7FB393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB393 second address: 7FB399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB030 second address: 7FB036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB036 second address: 7FB03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FB03A second address: 7FB044 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F82FCE531F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FFFB7 second address: 7FFFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF458 second address: 7FF466 instructions: 0x00000000 rdtsc 0x00000002 je 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF466 second address: 7FF480 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jg 00007F82FCB05532h 0x00000012 js 00007F82FCB05526h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF480 second address: 7FF4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F82FCE53210h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF4A8 second address: 7FF4AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF5F1 second address: 7FF5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FF5F7 second address: 7FF5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7FFA37 second address: 7FFA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 805961 second address: 805971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Bh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 805971 second address: 80599C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE53202h 0x00000009 jmp 00007F82FCE53205h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80432C second address: 80437E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jmp 00007F82FCB05539h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F82FCB05539h 0x00000017 jmp 00007F82FCB05530h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8044EB second address: 804506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 804506 second address: 804519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F82FCB05526h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 804519 second address: 80451D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80451D second address: 804527 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCB05526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 804527 second address: 804539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F82FCE531FAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8046A1 second address: 8046A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80481B second address: 804829 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 775082 second address: 775086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 775086 second address: 77508C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 77508C second address: 77509C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F82FCB05526h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 776BC5 second address: 776BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808AE0 second address: 808B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05536h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F82FCB05526h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B05 second address: 808B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B09 second address: 808B15 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F82FCB05526h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B15 second address: 808B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F82FCE531FAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808B25 second address: 808B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808C63 second address: 808C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808C67 second address: 808C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F82FCB05526h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 808C72 second address: 808C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80904E second address: 80906E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05539h 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80906E second address: 80907D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F82FCE531F6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8112CA second address: 811303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05531h 0x00000008 jmp 00007F82FCB05530h 0x0000000d push esi 0x0000000e pop esi 0x0000000f jnl 00007F82FCB05526h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a jnl 00007F82FCB05526h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 811303 second address: 811324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53204h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F82FCE531F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80FBB8 second address: 80FBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F82FCB05526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80FBC2 second address: 80FBD5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jo 00007F82FCE53218h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 80FBD5 second address: 80FBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05532h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810701 second address: 810741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCE53204h 0x00000008 jmp 00007F82FCE531FAh 0x0000000d jmp 00007F82FCE53205h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810741 second address: 810747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810747 second address: 81074B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81074B second address: 81076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05539h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81076E second address: 810772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810772 second address: 810778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810778 second address: 810784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810784 second address: 810788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810788 second address: 81078C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810A8A second address: 810A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CBB second address: 810CDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE53204h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CDB second address: 810CEF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F82FCB05526h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CEF second address: 810CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 810CF3 second address: 810CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 814F83 second address: 814FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F82FCE53202h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F82FCE53207h 0x00000011 jmp 00007F82FCE53202h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a jnp 00007F82FCE531F6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8148C1 second address: 8148C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 82127E second address: 821288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 821288 second address: 8212A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F82FCB05526h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F82FCB0552Ch 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8212A1 second address: 8212A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8212A7 second address: 8212AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8212AB second address: 8212B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81F829 second address: 81F83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB0552Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81F83B second address: 81F855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81F855 second address: 81F871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCB05538h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81FB59 second address: 81FB74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53200h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81FB74 second address: 81FB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F82FCB0552Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 81FE40 second address: 81FE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 820105 second address: 82011C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F82FCB05526h 0x0000000a jmp 00007F82FCB0552Ch 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 82011C second address: 820123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828176 second address: 82817C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8282D5 second address: 8282FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE53203h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F82FCE531FDh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828456 second address: 828463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F82FCB05526h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828463 second address: 828467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 828467 second address: 82846F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 82846F second address: 828474 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835939 second address: 83593E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A76 second address: 835A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A7A second address: 835A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A7E second address: 835A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 835A84 second address: 835AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCB05534h 0x00000009 jc 00007F82FCB05526h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76FEF1 second address: 76FF26 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCE531F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F82FCE53206h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jns 00007F82FCE531F6h 0x00000018 popad 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d je 00007F82FCE531F6h 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8391DA second address: 8391E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 83EB26 second address: 83EB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 83EB2D second address: 83EB36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 769276 second address: 76927C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 76927C second address: 7692AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F82FCB05537h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7692AB second address: 7692B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F82FCE531F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 846FF7 second address: 847020 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05532h 0x00000008 jmp 00007F82FCB05532h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8498DF second address: 8498E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8498E9 second address: 8498EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 84E6A9 second address: 84E6C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 84E6C2 second address: 84E6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 84EABD second address: 84EAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854466 second address: 854478 instructions: 0x00000000 rdtsc 0x00000002 js 00007F82FCB05528h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F82FCB05526h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854478 second address: 854492 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854492 second address: 854499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854499 second address: 85449E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 854018 second address: 85401C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 870941 second address: 870947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 870947 second address: 87094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 8722FE second address: 872306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872306 second address: 872321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F82FCB05532h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872321 second address: 872325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872325 second address: 87232F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F82FCB05526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 87232F second address: 872344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F82FCE531FCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872344 second address: 872349 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 872166 second address: 87218E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCE531FBh 0x00000008 jnp 00007F82FCE531F6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F82FCE531FFh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 87218E second address: 872192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 874D7F second address: 874D9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D21F second address: 88D22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D22E second address: 88D232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D232 second address: 88D243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F82FCB05526h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88D6CD second address: 88D6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F82FCE531F6h 0x0000000a jnp 00007F82FCE531FEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DAEA second address: 88DB0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05537h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DB0D second address: 88DB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DB11 second address: 88DB2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05538h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DCE3 second address: 88DCE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DCE7 second address: 88DCED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DCED second address: 88DCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE0F second address: 88DE38 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F82FCB05526h 0x00000008 jp 00007F82FCB05526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F82FCB05531h 0x00000017 jnc 00007F82FCB05526h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE38 second address: 88DE3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE3E second address: 88DE46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE46 second address: 88DE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DE4A second address: 88DE4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFA4 second address: 88DFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F82FCE531F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFB1 second address: 88DFBB instructions: 0x00000000 rdtsc 0x00000002 js 00007F82FCB05526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFBB second address: 88DFD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE53200h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88DFD1 second address: 88DFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 88FB0E second address: 88FB16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 893DA1 second address: 893DAB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F82FCB0552Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 896AA5 second address: 896AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F82FCE53201h 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C802B2 second address: 4C802C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C802C1 second address: 4C802FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F82FCE53208h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C802FC second address: 4C80300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80300 second address: 4C80306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80306 second address: 4C80317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCB0552Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70064 second address: 4C700BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F82FCE53200h 0x00000009 or cl, FFFFFF88h 0x0000000c jmp 00007F82FCE531FBh 0x00000011 popfd 0x00000012 movzx eax, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a mov edi, ecx 0x0000001c mov si, 4D93h 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F82FCE53206h 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F82FCE531FAh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700BD second address: 4C700C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700C1 second address: 4C700C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700C7 second address: 4C700CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C700CD second address: 4C700D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB051C second address: 4CB0520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB0520 second address: 4CB0526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB0526 second address: 4CB056D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F82FCB05530h 0x0000000f push eax 0x00000010 jmp 00007F82FCB0552Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F82FCB05535h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB056D second address: 4CB0573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40134 second address: 4C4019D instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F82FCB05538h 0x0000000d add ecx, 432EDAB8h 0x00000013 jmp 00007F82FCB0552Bh 0x00000018 popfd 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F82FCB05534h 0x00000023 sbb cx, 1518h 0x00000028 jmp 00007F82FCB0552Bh 0x0000002d popfd 0x0000002e movzx ecx, bx 0x00000031 popad 0x00000032 push dword ptr [ebp+04h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4019D second address: 4C401A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401A1 second address: 4C401BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05538h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401BD second address: 4C401D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F82FCE531FCh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401D9 second address: 4C401DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C401DD second address: 4C401E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40282 second address: 4C40288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40288 second address: 4C4029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60CC4 second address: 4C60CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60CC8 second address: 4C60CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C608D1 second address: 4C608F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F82FCB05535h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C608F8 second address: 4C60908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60758 second address: 4C60799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F82FCB0552Eh 0x00000011 or ax, 75E8h 0x00000016 jmp 00007F82FCB0552Bh 0x0000001b popfd 0x0000001c movzx esi, dx 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 mov bx, 3CE2h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60799 second address: 4C607B8 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 452Eh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F82FCE53205h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C607B8 second address: 4C607D9 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB05534h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C607D9 second address: 4C607DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C607DD second address: 4C607E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60408 second address: 4C6040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C6040C second address: 4C60410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60410 second address: 4C60416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60416 second address: 4C6041C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C6041C second address: 4C60420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60420 second address: 4C60424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60424 second address: 4C60449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCE53208h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60449 second address: 4C60458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7031C second address: 4C70320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70320 second address: 4C7033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7033B second address: 4C703AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F82FCE531FEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, BCh 0x00000013 pushfd 0x00000014 jmp 00007F82FCE531FAh 0x00000019 xor si, A338h 0x0000001e jmp 00007F82FCE531FBh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 jmp 00007F82FCE53206h 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx edx, si 0x00000033 push eax 0x00000034 pop edi 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CB047B second address: 4CB048A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80609 second address: 4C80663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F82FCE53207h 0x00000008 pop ecx 0x00000009 mov bh, 22h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F82FCE53200h 0x00000014 push eax 0x00000015 jmp 00007F82FCE531FBh 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F82FCE53206h 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80663 second address: 4C806A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 57AF66D9h 0x00000009 popad 0x0000000a pushfd 0x0000000b jmp 00007F82FCB05536h 0x00000010 xor eax, 3F5FA768h 0x00000016 jmp 00007F82FCB0552Bh 0x0000001b popfd 0x0000001c popad 0x0000001d mov eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806A0 second address: 4C806BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806BB second address: 4C806F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F82FCB05538h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806F7 second address: 4C806FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C806FB second address: 4C80701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80701 second address: 4C80724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F82FCE531FCh 0x00000009 add si, C9B8h 0x0000000e jmp 00007F82FCE531FBh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C6067E second address: 4C60682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60682 second address: 4C60690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80120 second address: 4C8013D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8013D second address: 4C8014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8014D second address: 4C80151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80151 second address: 4C8016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F82FCE53203h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8016F second address: 4C80175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80175 second address: 4C80188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov edx, 72196C9Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80188 second address: 4C80192 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80192 second address: 4C801B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007F82FCE53208h 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C801B9 second address: 4C801BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C801BD second address: 4C801C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C801C3 second address: 4C801C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C8044E second address: 4C80454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C80454 second address: 4C80495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, cx 0x00000012 pushfd 0x00000013 jmp 00007F82FCB0552Eh 0x00000018 adc cx, 0888h 0x0000001d jmp 00007F82FCB0552Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA08DF second address: 4CA08E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA08E5 second address: 4CA0965 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movzx esi, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 jmp 00007F82FCB05535h 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F82FCB05533h 0x00000020 adc ax, D0DEh 0x00000025 jmp 00007F82FCB05539h 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F82FCB05530h 0x00000031 or cx, D0D8h 0x00000036 jmp 00007F82FCB0552Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0965 second address: 4CA09AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F82FCE531FEh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F82FCE53207h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA09AC second address: 4CA09B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA09B2 second address: 4CA0A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e mov cx, FCD1h 0x00000012 pop ecx 0x00000013 pushfd 0x00000014 jmp 00007F82FCE53207h 0x00000019 or esi, 291F0BBEh 0x0000001f jmp 00007F82FCE53209h 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F82FCE531FDh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0A14 second address: 4CA0A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FA65FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F82FCB05538h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0A4A second address: 4CA0A59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0A59 second address: 4CA0ADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c jmp 00007F82FCB0552Ch 0x00000011 call 00007F82FCB05532h 0x00000016 mov ax, 9AA1h 0x0000001a pop eax 0x0000001b popad 0x0000001c je 00007F836ED883EFh 0x00000022 jmp 00007F82FCB0552Dh 0x00000027 mov ecx, eax 0x00000029 pushad 0x0000002a movsx edi, ax 0x0000002d popad 0x0000002e xor eax, dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F82FCB0552Ch 0x0000003a add cx, A898h 0x0000003f jmp 00007F82FCB0552Bh 0x00000044 popfd 0x00000045 mov bx, ax 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0ADF second address: 4CA0B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007F82FCE531FEh 0x00000011 ror eax, cl 0x00000013 jmp 00007F82FCE53200h 0x00000018 leave 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B22 second address: 4CA0B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B26 second address: 4CA0B2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B2C second address: 4CA0B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [005F4014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F83011F491Dh 0x00000024 push FFFFFFFEh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F82FCB05537h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B62 second address: 4CA0B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B68 second address: 4CA0B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0B6C second address: 4CA0BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007F82FCE53206h 0x00000011 ret 0x00000012 nop 0x00000013 push eax 0x00000014 call 00007F8301542634h 0x00000019 mov edi, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov eax, ebx 0x00000020 call 00007F82FCE53209h 0x00000025 pop eax 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0BB7 second address: 4CA0C60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f pushfd 0x00000010 jmp 00007F82FCB05538h 0x00000015 add eax, 1828E868h 0x0000001b jmp 00007F82FCB0552Bh 0x00000020 popfd 0x00000021 popad 0x00000022 push esi 0x00000023 mov ebx, 4196950Ah 0x00000028 pop edx 0x00000029 popad 0x0000002a push eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F82FCB0552Ah 0x00000032 and ecx, 7DA0BAC8h 0x00000038 jmp 00007F82FCB0552Bh 0x0000003d popfd 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F82FCB0552Bh 0x00000047 and al, 0000000Eh 0x0000004a jmp 00007F82FCB05539h 0x0000004f popfd 0x00000050 popad 0x00000051 mov ebp, esp 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F82FCB0552Dh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CA0C60 second address: 4CA0CA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F82FCE53206h 0x00000013 xor esi, 5EDC0518h 0x00000019 jmp 00007F82FCE531FBh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C5000D second address: 4C50087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB0552Fh 0x00000008 jmp 00007F82FCB05538h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F82FCB05530h 0x00000016 push eax 0x00000017 pushad 0x00000018 mov dx, 68B4h 0x0000001c mov ah, dl 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 call 00007F82FCB05531h 0x00000026 mov ax, FF67h 0x0000002a pop esi 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F82FCB05536h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50193 second address: 4C50199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C502BB second address: 4C5037F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F82FCB05537h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 pushad 0x00000015 pushad 0x00000016 mov ch, 9Bh 0x00000018 mov ecx, edi 0x0000001a popad 0x0000001b pushfd 0x0000001c jmp 00007F82FCB05539h 0x00000021 sub ch, FFFFFFE6h 0x00000024 jmp 00007F82FCB05531h 0x00000029 popfd 0x0000002a popad 0x0000002b je 00007F836EDD3839h 0x00000031 jmp 00007F82FCB0552Eh 0x00000036 mov edx, dword ptr [esi+44h] 0x00000039 jmp 00007F82FCB05530h 0x0000003e or edx, dword ptr [ebp+0Ch] 0x00000041 pushad 0x00000042 mov edx, esi 0x00000044 pushfd 0x00000045 jmp 00007F82FCB0552Ah 0x0000004a add si, 45E8h 0x0000004f jmp 00007F82FCB0552Bh 0x00000054 popfd 0x00000055 popad 0x00000056 test edx, 61000000h 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F82FCB05535h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C5037F second address: 4C50385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50385 second address: 4C50389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50389 second address: 4C50440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F836F1214EDh 0x0000000e pushad 0x0000000f call 00007F82FCE53205h 0x00000014 mov ah, 60h 0x00000016 pop edx 0x00000017 jmp 00007F82FCE531FAh 0x0000001c popad 0x0000001d test byte ptr [esi+48h], 00000001h 0x00000021 pushad 0x00000022 push esi 0x00000023 mov ebx, 292A2FF0h 0x00000028 pop edi 0x00000029 pushad 0x0000002a movzx esi, dx 0x0000002d pushfd 0x0000002e jmp 00007F82FCE53201h 0x00000033 xor ax, E576h 0x00000038 jmp 00007F82FCE53201h 0x0000003d popfd 0x0000003e popad 0x0000003f popad 0x00000040 jne 00007F836F1214A1h 0x00000046 jmp 00007F82FCE531FEh 0x0000004b test bl, 00000007h 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov bl, 4Ch 0x00000053 pushfd 0x00000054 jmp 00007F82FCE53206h 0x00000059 jmp 00007F82FCE53205h 0x0000005e popfd 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50440 second address: 4C50446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C407FA second address: 4C40807 instructions: 0x00000000 rdtsc 0x00000002 mov ch, 38h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b mov edx, esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40807 second address: 4C4088A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F82FCB05536h 0x00000008 and ax, E7F8h 0x0000000d jmp 00007F82FCB0552Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F82FCB05536h 0x0000001b pushfd 0x0000001c jmp 00007F82FCB05532h 0x00000021 add cl, FFFFFF88h 0x00000024 jmp 00007F82FCB0552Bh 0x00000029 popfd 0x0000002a popad 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov ebx, 2682B92Ah 0x00000033 mov dh, 3Dh 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 jmp 00007F82FCB0552Ah 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4088A second address: 4C4088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4088E second address: 4C40894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40894 second address: 4C408EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F82FCE531FBh 0x0000000f xchg eax, esi 0x00000010 jmp 00007F82FCE53206h 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 jmp 00007F82FCE53200h 0x0000001d sub ebx, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C408EA second address: 4C408F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C408F0 second address: 4C4090D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bh, DFh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test esi, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCE531FFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4090D second address: 4C40914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40914 second address: 4C4092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F836F128C69h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F82FCE531FAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4092D second address: 4C40959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F82FCB05537h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40959 second address: 4C4095D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4095D second address: 4C40963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40963 second address: 4C40969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40969 second address: 4C4097F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 mov esi, 7DE22C35h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C4097F second address: 4C40A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F82FCE53201h 0x00000009 add al, 00000046h 0x0000000c jmp 00007F82FCE53201h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F82FCE53200h 0x00000018 adc ecx, 343D26E8h 0x0000001e jmp 00007F82FCE531FBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 je 00007F836F128BCAh 0x0000002d jmp 00007F82FCE53206h 0x00000032 test byte ptr [76FA6968h], 00000002h 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F82FCE531FEh 0x00000040 or ax, 8478h 0x00000045 jmp 00007F82FCE531FBh 0x0000004a popfd 0x0000004b push eax 0x0000004c push edx 0x0000004d mov dx, ax 0x00000050 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A18 second address: 4C40A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A1C second address: 4C40A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007F836F128B89h 0x0000000d jmp 00007F82FCE531FEh 0x00000012 mov edx, dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A40 second address: 4C40A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A44 second address: 4C40A4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A4A second address: 4C40A6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 19E42750h 0x00000012 mov ecx, edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40A6E second address: 4C40B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e pushad 0x0000000f call 00007F82FCE53208h 0x00000014 pop esi 0x00000015 pushfd 0x00000016 jmp 00007F82FCE531FBh 0x0000001b or al, 0000000Eh 0x0000001e jmp 00007F82FCE53209h 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 jmp 00007F82FCE531FEh 0x0000002c xchg eax, ebx 0x0000002d jmp 00007F82FCE53200h 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F82FCE53201h 0x0000003a adc si, 26A6h 0x0000003f jmp 00007F82FCE53201h 0x00000044 popfd 0x00000045 push ecx 0x00000046 pushfd 0x00000047 jmp 00007F82FCE53207h 0x0000004c jmp 00007F82FCE53203h 0x00000051 popfd 0x00000052 pop ecx 0x00000053 popad 0x00000054 xchg eax, ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F82FCE53202h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40BD9 second address: 4C40C33 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop esi 0x00000009 jmp 00007F82FCB0552Ch 0x0000000e pop ebx 0x0000000f jmp 00007F82FCB05530h 0x00000014 mov esp, ebp 0x00000016 jmp 00007F82FCB05530h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov di, 02A0h 0x00000023 jmp 00007F82FCB05539h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C40C33 second address: 4C40C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50DD0 second address: 4C50DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50DD6 second address: 4C50DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50DDA second address: 4C50E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F82FCB05530h 0x00000013 or esi, 457899C8h 0x00000019 jmp 00007F82FCB0552Bh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F82FCB05531h 0x0000002a xor ax, 32E6h 0x0000002f jmp 00007F82FCB05531h 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50E47 second address: 4C50EB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 61B5C122h 0x00000008 pushfd 0x00000009 jmp 00007F82FCE53203h 0x0000000e adc ax, 6E1Eh 0x00000013 jmp 00007F82FCE53209h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push edx 0x00000021 pop eax 0x00000022 pushfd 0x00000023 jmp 00007F82FCE531FFh 0x00000028 xor cl, 0000002Eh 0x0000002b jmp 00007F82FCE53209h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50965 second address: 4C50969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50969 second address: 4C509B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F82FCE53206h 0x0000000c add cx, 64E8h 0x00000011 jmp 00007F82FCE531FBh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F82FCE53205h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509B0 second address: 4C509DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4CC39992h 0x00000008 mov cx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F82FCB05534h 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509DA second address: 4C509DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509DE second address: 4C509E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509E2 second address: 4C509E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509E8 second address: 4C509EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509EE second address: 4C509F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C509F2 second address: 4C50A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F82FCB0552Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A16 second address: 4C50A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A25 second address: 4C50A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A2B second address: 4C50A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C50A2F second address: 4C50A58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCB05535h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0BDE second address: 4CD0BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0BE2 second address: 4CD0C46 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F82FCB0552Ah 0x00000008 or eax, 7440CC08h 0x0000000e jmp 00007F82FCB0552Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F82FCB05538h 0x0000001c and eax, 0A32EE68h 0x00000022 jmp 00007F82FCB0552Bh 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F82FCB05534h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0C46 second address: 4CD0C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F82FCE53205h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0C6D second address: 4CD0C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F82FCB0552Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0019 second address: 4CD001F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD001F second address: 4CD007F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F82FCB05536h 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F82FCB05531h 0x00000018 mov ebx, eax 0x0000001a pop eax 0x0000001b mov cx, dx 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F82FCB05531h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD007F second address: 4CD0083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0083 second address: 4CD0089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0089 second address: 4CD00CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d push ecx 0x0000000e call 00007F82FCE53207h 0x00000013 pop eax 0x00000014 pop edx 0x00000015 push esi 0x00000016 mov ebx, 4F89CD18h 0x0000001b pop edi 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F82FCE53203h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CC0F31 second address: 4CC0F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C601A2 second address: 4C60201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F82FCE53207h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F82FCE53209h 0x0000000f add eax, 03709E76h 0x00000015 jmp 00007F82FCE53201h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F82FCE531FCh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C60201 second address: 4C6020A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, D144h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD02D2 second address: 4CD02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD02D7 second address: 4CD02DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD02DD second address: 4CD0308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCE531FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0308 second address: 4CD030D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD030D second address: 4CD0345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F82FCE531FDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F82FCE531FAh 0x00000016 sbb si, 5248h 0x0000001b jmp 00007F82FCE531FBh 0x00000020 popfd 0x00000021 movzx eax, di 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0345 second address: 4CD034B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD034B second address: 4CD0397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007F82FCE531FEh 0x00000012 push dword ptr [ebp+0Ch] 0x00000015 pushad 0x00000016 jmp 00007F82FCE531FEh 0x0000001b movzx ecx, di 0x0000001e popad 0x0000001f push dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 mov esi, edx 0x00000025 popad 0x00000026 push A3473DCAh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F82FCE531FDh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4CD0397 second address: 4CD039D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B050B second address: 7B0515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F82FCE531F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 7B06E4 second address: 7B06E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7069E second address: 4C706A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706A4 second address: 4C706BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706BE second address: 4C706C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706C5 second address: 4C706CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C706CB second address: 4C706CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C707EE second address: 4C708D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F82FCB05536h 0x0000000f mov eax, dword ptr fs:[00000000h] 0x00000015 jmp 00007F82FCB05530h 0x0000001a nop 0x0000001b jmp 00007F82FCB05530h 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F82FCB05531h 0x00000028 or ecx, 2B7DD5D6h 0x0000002e jmp 00007F82FCB05531h 0x00000033 popfd 0x00000034 pushfd 0x00000035 jmp 00007F82FCB05530h 0x0000003a jmp 00007F82FCB05535h 0x0000003f popfd 0x00000040 popad 0x00000041 nop 0x00000042 pushad 0x00000043 mov bh, ch 0x00000045 call 00007F82FCB05539h 0x0000004a pushad 0x0000004b popad 0x0000004c pop ecx 0x0000004d popad 0x0000004e sub esp, 1Ch 0x00000051 jmp 00007F82FCB0552Dh 0x00000056 xchg eax, ebx 0x00000057 jmp 00007F82FCB0552Eh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 mov edi, eax 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708D6 second address: 4C708DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708DC second address: 4C708EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708EE second address: 4C708F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708F2 second address: 4C708F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708F6 second address: 4C708FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C708FC second address: 4C7091B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB05532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7091B second address: 4C7091F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7091F second address: 4C70923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70923 second address: 4C70929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70929 second address: 4C7092F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7092F second address: 4C70991 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE531FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F82FCE531FDh 0x00000015 sub ecx, 7D9FAF76h 0x0000001b jmp 00007F82FCE53201h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F82FCE53200h 0x00000027 adc eax, 785DFC98h 0x0000002d jmp 00007F82FCE531FBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70991 second address: 4C70997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70997 second address: 4C7099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C7099B second address: 4C709C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCB0552Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F82FCB05534h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C709C3 second address: 4C709D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F82FCE531FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C709D5 second address: 4C70A37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c mov cx, bx 0x0000000f popad 0x00000010 mov eax, dword ptr [76FAB370h] 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F82FCB05531h 0x0000001c add ecx, 72AA94F6h 0x00000022 jmp 00007F82FCB05531h 0x00000027 popfd 0x00000028 mov bx, cx 0x0000002b popad 0x0000002c xor dword ptr [ebp-08h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F82FCB05539h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70A37 second address: 4C70A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F82FCE53201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, ebp 0x0000000b jmp 00007F82FCE53207h 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov bx, B916h 0x00000018 mov eax, edx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	RDTSC instruction interceptor: First address: 4C70A70 second address: 4C70AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F82FCB0552Ch 0x00000011 nop 0x00000012 jmp 00007F82FCB05530h 0x00000017 lea eax, dword ptr [ebp-10h] 0x0000001a jmp 00007F82FCB05530h 0x0000001f mov dword ptr fs:[00000000h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 5FE994 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 7A46A1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 7A2E7C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 5FC2FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Special instruction interceptor: First address: 82D478 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: F2E994 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 10D46A1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 10D2E7C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: F2C2FA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 115D478 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: 2890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 1F09CF80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 1F0B6910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 7000000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8000000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A6F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BEA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CEA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: DEA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BDA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CDA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E670000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F670000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 6FC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E670000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 9180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 87C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CDA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: E9B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: FC30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 11F70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 130B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 154F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 154F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 18130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 19130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 18130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 18130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1A550000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1B910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1B910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1B910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1D990000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1ED50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 217D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1ED50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 24A50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27150000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27150000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 287D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 297D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 29310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2AB90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B250000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C250000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E600000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Code function: 0_2_04CD04CD rdtsc

0_2_04CD04CD

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 569008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568091
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 561230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 570217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 565910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 553280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528725
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494287
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493667
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484414
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 481763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470865
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453041
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448951
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429587

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 916	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1198	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1135	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1186	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 1092	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1931
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Window / User API: threadDelayed 8724
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4842
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1764
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Window / User API: threadDelayed 3824
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Window / User API: threadDelayed 1708
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6443

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\VIvaPgF4HG0I5BUqITqbcGpt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ASNAP1v7gSBWUV4M24VeAq7L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OQgcqQkt9mj3bwxHnZIa4s8D.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Ip8wtphk0sq5W1G9S0yXoRhB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Dgwsf7w4EFU0DJenPeJFQ9dl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\IPYyjHxAPykR30zffbRrZF82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ZdJVnsAsGFXjRLisReQL9qeg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\U9sERAOeNr3mgv0e80M6A4fC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5RIkieBmHnRMmQ027PXhctux.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\KeaeBYEoeSKrt7OHYQWgw9KY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dCJ2FGsdDNOePKsle0wc5xjs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hi1aLhmXAS9IuYfXRpFgbtIN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4gHWYulKwwC9mAGusyg1bN2y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yqAccZXldjURDvuE02Wzx66b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CzkueZo2uibKMWVlxXuuuYuf.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5xs.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9MxwoVYUchzxPb9DWfXpxtIo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\svrht.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HwacXgeZ7NROKRQE0PXEHrcz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c5Evvv7PYHJO6LpEaGq866pm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\tIMIX6FhTytIBgdKnsKEeTL9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QeUXLRBK3hnXmDh6BxEoxRr1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vf0hhs68KGG55pTpbMQhmnEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\yWV9WwJcUosMiP7cfkSd3H82.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dPOp3jG6cTg3qN9wSAMJoEyW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kqWcoPWge2lBBTisp4lafa9T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\56MSgzGjt7DCxuJwG3rlLC0n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\LqEGPBEKUCUhBDJKv5mRRgZQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\2Tou5zGna3sRH11GciMBbZgS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\2fZdJDwSJsgUfWXz4vfSCNc2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\1vyyhjyTv0WQsnxGKVgh8uWj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0LDENujoRxGDNSg8nAFeOW4T.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kJQmHVN1ymzFf6h1SAx9MRkd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.2\relay.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\y37mD1IuO45o81MbxoPzuNXd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Lg7nSLwyiJZjUSW4G0qcX1yV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UD5c5lRW73IS3PFTwgbHbs5R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sAZX6pCAhoctp0pZlpHswGSQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\iPlB1qbFQFH1ftEutDuOvKvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\42aqT3i0exo8ClkJ9x9x76bj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xyMqBBjqvGfUL37YvYIuomy7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5xs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dAzTHvN7U1zbeiGER55JOdmD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\H5yNpx42S8IZUDziNao5NoiZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qk0x06I6JhykUr9FfyCqWusc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\mOkLcaTZpbuoAYzmfUDWaVew.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\U9TaXZF4Dtll7HWLvlflgS1k.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\a61Zt3kxeVox4lwkSb04Exqv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WwT2X5ly4j7TYqCo1DiUNFVe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NrlBY7PHizkvtumpXDF2ZwbO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\anYrNMf7BkK2nQqzIYyWir6K.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\reXPhdY9Ai5nG5RYgYEblrOi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NjV6zIGZdVX0WeB8KyD9vVQX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\cPV2bRPfjMzAHIg1WdlvEFuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\CW6I446Upi6pRJwdKk7DKik9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Xf0R0h4D02qlmSsaNEARsgAC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tlTbd0P2iK6BETIro6KxfVNb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\xiBUq473AMEj3R5tdfFowrHB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LfTUXDPwxqflzUdNce50hrbG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ME586VT0sUE29Jo7X6zYQs1O.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.2\run.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\UiQzdb0JuVAuKhgIqFvM40tD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\E2J4txsMwXF0FC1lSl4LeyeC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dr1rk0EffiWHIOEoIM0y02vz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bR4U6XYd9TFO6UTaUKN5r2h6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3ffKdsqDDK85YKPHUJ1yg9YY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\7RNCUCyZQBj5TbzSirPLZTx4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\PhNOluqeDQNAgQ6pyogubEva.exe	Jump to dropped file
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5xs.2\run.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\YmRHdVjMjWfgOGnmlpMeFk3W.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OcXMLXs1I7uPacTR3wj6FpuO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\KD4MGqBmnl5yi0hAsXLSbdSy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ndb0fcrEXTitnmEiCwbBu17x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u1eg.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\mFxRdQLZpyvaCG50kC1Vvtgm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\e9hVvSYXlP0xhhVB1Cn6Pgop.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	API coverage: 1.4 %
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	API coverage: 9.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2472	Thread sleep count: 916 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2472	Thread sleep time: -1832916s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2436	Thread sleep count: 1198 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2436	Thread sleep time: -2397198s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2452	Thread sleep count: 1135 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2452	Thread sleep time: -2271135s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2448	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4256	Thread sleep count: 156 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4256	Thread sleep time: -312156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6112	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6112	Thread sleep time: -1320000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2860	Thread sleep count: 1078 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2860	Thread sleep time: -2157078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7044	Thread sleep time: -2520000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5328	Thread sleep count: 1186 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5328	Thread sleep time: -2373186s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5496	Thread sleep count: 1092 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5496	Thread sleep time: -2185092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2952	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1896	Thread sleep count: 1931 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1896	Thread sleep time: -1931000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 4080	Thread sleep count: 8724 > 30
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 4080	Thread sleep time: -261720000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 1784	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 5532	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6688	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 10092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 10092	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe TID: 3356	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe TID: 5016	Thread sleep count: 1708 > 30
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe TID: 5016	Thread sleep time: -10248000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7528	Thread sleep count: 6443 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599704s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599151s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599019s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5504	Thread sleep time: -3600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598395s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598136s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598010s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -595735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -595110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -594672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -594297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -593924s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -593650s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -588485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -588047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -585610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -584482s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -584001s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -583566s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -581180s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -579907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -579213s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -578558s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -576227s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -575071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -574719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -574363s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -573972s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -573524s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -569008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -568477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -568091s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -567712s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -567304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -564156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -563515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -563060s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -562656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -562031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -561230s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -560740s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -559959s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -559279s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -599235s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -598454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -595224s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -594687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -593989s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -590922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -589890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -589062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -588343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -585015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -583343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -579734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -578890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -578125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -575015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -574359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -573455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -570217s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -568866s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -565910s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -564906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -564067s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -563398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -562624s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -559349s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -558560s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -554232s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -553280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -552405s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -549452s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -548247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -544191s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -543358s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -542608s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -539716s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -538622s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -537853s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -530188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -528725s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -527910s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -524915s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -524165s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -523269s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -518125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -517373s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -516573s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -516084s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -515540s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -514997s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -514430s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -514150s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513870s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513352s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -513096s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -512830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -512455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -512144s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511847s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511596s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -511136s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -510109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -509687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -509250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508788s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508585s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -508132s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507681s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507246s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -507043s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506808s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506384s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -506144s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505417s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -505120s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -503427s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -502623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -502366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -502163s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501928s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501708s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501242s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -501040s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500847s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500631s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500351s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -500162s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -499945s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -499677s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -494287s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -494052s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493856s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493667s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493480s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -493078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -492831s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -492549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -490234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489974s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -489000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488602s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -488164s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -487820s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -487600s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -487304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -486694s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -485305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -485102s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484914s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484414s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484197s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -484025s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483681s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483431s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -483147s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482932s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482768s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482599s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482383s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -482032s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -481763s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -479507s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -479012s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478643s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478424s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -478189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -477118s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476967s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476767s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476548s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476352s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -476155s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -475973s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -475786s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -475552s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -474046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473745s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473292s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -473082s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472692s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472504s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472382s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472200s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -472016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471834s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471661s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471462s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -471109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470865s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470677s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470351s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -470143s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -468363s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467817s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467621s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467457s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467301s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -467098s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466887s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466478s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -466071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465899s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465739s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465491s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -465147s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464678s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464451s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464224s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -464093s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463920s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463748s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463589s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463430s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -463209s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462965s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462744s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462523s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462346s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462214s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -462012s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461869s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461482s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461278s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -461073s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460949s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460601s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460192s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -460004s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459754s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459602s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459428s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -459021s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458504s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458332s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458165s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -458014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457838s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457666s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457505s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457326s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -457172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456837s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456618s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456446s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -456133s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455945s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455742s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455544s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455356s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455185s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -455034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454822s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454665s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454447s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454244s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -454057s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453714s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453555s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453383s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453215s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -453041s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452872s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452731s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -452078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451889s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451731s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451340s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -451173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450996s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450834s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450660s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450488s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450326s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -450099s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449941s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449752s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449614s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449465s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449318s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -449115s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448951s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448614s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448426s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448277s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -448108s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447944s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447282s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -447075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446887s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446417s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446229s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -446033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445856s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445690s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445518s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445353s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445184s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -445027s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444884s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444742s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444587s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444196s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -444035s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443856s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443590s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443448s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -443074s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442931s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442775s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442494s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -442033s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441684s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441559s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -441387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440808s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440396s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440262s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -440030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439728s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439423s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -439131s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438952s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438373s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -438071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437903s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437739s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437539s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437389s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437224s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -437049s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436877s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436716s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436530s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436325s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -436164s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435961s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435832s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -435547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -434297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -434102s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433916s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433744s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433519s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433347s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433198s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -433057s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432885s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432729s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432336s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432192s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -432008s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431835s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431702s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -431060s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430882s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430617s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430466s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430169s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -430011s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -429884s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -429743s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7472	Thread sleep time: -429587s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7616	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe TID: 7108	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe TID: 7108	Thread sleep time: -30000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012DB5E FindFirstFileExW,	22_2_0012DB5E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041D8B1 FindFirstFileExA,	24_2_0041D8B1
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BADB18 FindFirstFileExA,	24_2_01BADB18

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_000F72F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

22_2_000F72F0

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 584001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 581180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 576227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 569008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568091
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 567304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 561230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 560740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 590922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 589062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 588343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 585015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 583343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 579734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 578125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 575015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 574359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 573455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 570217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 568866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 565910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 564067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 563398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 562624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 559349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 558560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 554232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 553280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 552405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 549452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 548247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 544191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 543358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 542608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 539716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 538622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 537853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 530188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 528725
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 527910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 524165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 523269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 518125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 517373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 516084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 515540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 514150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 513096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 512144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 511136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 510109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 509250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 508132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 507043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 506144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 505120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 503427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 502163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 501040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500847
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 500162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 499677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494287
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 494052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493667
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 493078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 492549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 490234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 489000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 488164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 487304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 486694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 485102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484414
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 484025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 483147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 482032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 481763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 479012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 478189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 477118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 476155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475786
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 475552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 474046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 473082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 472016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 471109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470865
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 470143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 468363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 467098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 466071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 465147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 464093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 463209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 462012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 461073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 460004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 459021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458165
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 458014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 457172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 456133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 455034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 454057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 453041
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 452078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 451173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 450099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 449115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448951
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 448108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 447075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 446033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 445027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 444035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 443074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 442033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 441387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 440030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 439131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 438071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 437049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436325
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 436164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 435547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 434102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 433057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 432008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 431060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 430011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 429587

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: rundll32.exe, 00000006.00000002.5624870860.00000162366F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5462964818.00000162366F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7y
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: netsh.exe, 0000000A.00000003.2168020817.0000022389745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: ISetup8.exe, 00000018.00000003.2648636393.00000000037A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user-PC\user00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}79]
Source: U8uFcjIjAR.exe, U8uFcjIjAR.exe, 00000000.00000002.2056986707.0000000000786000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, explorha.exe, 00000003.00000002.2114436848.00000000010B6000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU_HARDU
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: ISetup8.exe, 00000018.00000002.3746524697.0000000003781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDataBP1
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: ISetup8.exe, 00000018.00000003.2648279558.000000000379D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegAsm.exe, 00000008.00000002.2375987946.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tvZbQLJnTojSZZhIosgZtHxrhGfslLXyZsG9dOOl
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfsP
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: U8uFcjIjAR.exe, 00000000.00000002.2056986707.0000000000786000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, 00000003.00000002.2114436848.00000000010B6000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: rundll32.exe, 00000006.00000002.5624870860.00000162366F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5462964818.00000162366F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5462964818.00000162366B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.5624870860.00000162366B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2365829298.0000000001379000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2365829298.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2673195541.00000220AD837000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628124463.00000220AD83A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2720427105.00000220AD839000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.4628585388.00000220AD8DA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.4777581729.0000000000C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: 11VBoxSFWINDIRWD
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5959325242.0000000001E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: aryvmcixn-SR-%W
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: u1eg.0.exe, 00000020.00000002.5887240245.0000000001DDB000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareS
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: tVMSrvcs\|!
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: RegAsm.exe, 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4087228479.0000000002854000.00000004.00000800.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3796315364.0000000001D44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6053929407.0000000003E40000.00000040.00001000.00020000.00000000.sdmp, G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file300un.exe, 0000001D.00000002.2861385706.000001F09E930000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: podaw.exe, 00000030.00000003.3516254761.000000000394A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: jok.exe, 00000017.00000002.6618718835.0000000006113000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000024.00000002.5782638468.000000000108A000.00000004.00000020.00020000.00000000.sdmp, CpqmTFb0JovJ1ZbssYgoEukK.exe, 0000002F.00000002.3825242603.00000000037AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.6000753987.00000000038FF000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\HGFS`
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: ISetup8.exe, 00000018.00000002.3746956983.00000000037A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: G5ySvIIiUZEng2gHEb0ia9X8.exe, 00000031.00000002.5829605644.0000000000400000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegAsm.exe, 0000002C.00000002.4059491346.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jok.exe, 00000017.00000002.6041581644.00000000029C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe

Code function: 0_2_04CD04CD rdtsc

0_2_04CD04CD

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_00126B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

22_2_00126B6B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0011C08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_0011C08C

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012A292 mov eax, dword ptr fs:[00000030h]	22_2_0012A292
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0012661B mov eax, dword ptr fs:[00000030h]	22_2_0012661B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_004139E7 mov eax, dword ptr fs:[00000030h]	24_2_004139E7
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9092B mov eax, dword ptr fs:[00000030h]	24_2_01B9092B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B90D90 mov eax, dword ptr fs:[00000030h]	24_2_01B90D90
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BA3C4E mov eax, dword ptr fs:[00000030h]	24_2_01BA3C4E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01C9B47B push dword ptr fs:[00000030h]	24_2_01C9B47B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_00415DC0 mov eax, dword ptr fs:[00000030h]	28_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0012EDB4 GetProcessHeap,

22_2_0012EDB4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010D2DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0010D2DC
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_00126B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00126B6B
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010DCAA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0010DCAA
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0010DE0F SetUnhandledExceptionFilter,	22_2_0010DE0F
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00409A73
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409C06 SetUnhandledExceptionFilter,	24_2_00409C06
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00409EBE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0041073B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01BA09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_01BA09A2
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B9A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_01B9A125
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_01B99CDA
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: 24_2_01B99E6D SetUnhandledExceptionFilter,	24_2_01B99E6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_00419DC7 SetUnhandledExceptionFilter,	28_2_00419DC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00417B4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 28_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_004173DD

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 193.233.132.56 80

.NET source code references suspicious native API functions

Source: swiiiii[1].exe.2.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "FreeConsole")
Source: swiiiii[1].exe.2.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "VirtualProtectEx")
Source: file300un[1].exe.2.dr, --------.cs	Reference to suspicious API methods: LoadLibrary(_FBD0(._0658_060C_0612_06EB_FBCF_0602_FBC4_060F))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

5_2_030A2179

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: swiiiii.exe, 00000005.00000002.3372420877.00000000040A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: demonstationfukewko.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: liabilitynighstjsko.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: alcojoldwograpciw.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: incredibleextedwj.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: shortsvelventysjo.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: shatterbreathepsw.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: tolerateilusidjukl.shop
Source: gold.exe, 0000002B.00000002.2854796203.00000000004E6000.00000004.00000001.01000000.0000001C.sdmp	String found in binary or memory: productivelookewr.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E89008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8D0008
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: CDE008
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 449000
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 30E008
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58E000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 590000
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11B2008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\U8uFcjIjAR.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe "C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe "C:\Users\user\AppData\Local\Temp\1000079001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe "C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 3580
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 924
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 4764 -ip 4764
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1500
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7452 -ip 7452
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 372
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe "C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u1eg.0.exe "C:\Users\user\AppData\Local\Temp\u1eg.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe "C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe "C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe"
Source: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\G5ySvIIiUZEng2gHEb0ia9X8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe	Process created: unknown unknown

Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: ISetup8.exe, 00000018.00000003.2807691606.0000000004D29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S
Source: U8uFcjIjAR.exe, U8uFcjIjAR.exe, 00000000.00000002.2056986707.0000000000786000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, explorha.exe, 00000003.00000002.2114436848.00000000010B6000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: "cProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0010DE96 cpuid

22_2_0010DE96

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042086B
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_004170F1
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_004201F6
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_004201AB
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_00420291
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042031E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_004174E4
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_0042056E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_00420697
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_0041FF33
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_0042079E
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_01BB019A
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_01BB08FE
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BA7358
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_01BB0AD2
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BB0A05
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BB04F8
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BB0412
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: EnumSystemLocalesW,	24_2_01BB045D
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BB07D3
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BB07D5
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Code function: GetLocaleInfoW,	24_2_01BA774B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	28_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\EEGWXUHVUG.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\GRXZDKKVDB.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000232001\toolspub1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000231001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u1eg.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\Pictures\CpqmTFb0JovJ1ZbssYgoEukK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5xs.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_0010E0DB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

22_2_0010E0DB

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_000F5370 RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,

22_2_000F5370

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_00132467 _free,_free,_free,GetTimeZoneInformation,_free,

22_2_00132467

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe

Code function: 22_2_000F72F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

22_2_000F72F0

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 22.2.NewB.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.NewB.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.explorha.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.NewB.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U8uFcjIjAR.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2008024339.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2185755705.00000000000F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2056893709.0000000000591000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2068811199.0000000005170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2114352567.0000000000EC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2163610918.00000000000F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2191122983.00000000000F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2070512533.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\clip64[1].dll, type: DROPPED

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: podaw.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7580, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.jok.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2187097797.0000000000222000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000031F000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\jok[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4714052350.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000444000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ElectrumA
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000140D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: (Awindow-state.jsonA5A
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.walletY)A%appdata%\Exodus\exodus.walletAkeystore>
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2379841648.000000000140D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\Binance%appdata%\Binance
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/EthereumAG%>
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/CoinomiC:\Users\user\AppData\Local\Coinomi\Coinomi\walletsY)A%localappdata%\Coinomi\Coinomi\walletsA*A5A
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.walletY)A%appdata%\Exodus\exodus.walletAkeystore>
Source: RegAsm.exe, 00000008.00000002.2334404081.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/Ledger Live{4AC:\Users\user\AppData\Roaming\Ledger Live,Y)A%appdata%\Ledger Live
Source: u1eg.0.exe, 00000020.00000002.5859591620.0000000000549000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\MwihEzlHtrgqoyjYUHGNOXMtUFaLJGGhbyfFCcOqTCPZbdsbAnXdQ\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000066001\.purple\accounts.xml	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\u1eg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Searches for user specific document files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Directory queried: number of queries: 1399

Yara detected Credential Stealer

Source: Yara match	File source: 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jok.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: podaw.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.3e40e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.G5ySvIIiUZEng2gHEb0ia9X8.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.5829605644.0000000000843000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.6053929407.0000000004283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G5ySvIIiUZEng2gHEb0ia9X8.exe PID: 7812, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: podaw.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7580, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.jok.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.320fdd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.48fd86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2187097797.0000000000222000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.6041581644.0000000002637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000040D000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.000000000031F000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3329080036.0000000000364000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: alexxxxxxxx.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\jok[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4714052350.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000444000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4777581729.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5887832543.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.u1eg.0.exe.1b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.swiiii.exe.3ab5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.u1eg.0.exe.1b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.5859591620.0000000000400000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4714052350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2278711466.0000000001B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5871967862.0000000001B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2273123693.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u1eg.0.exe PID: 6628, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.alexxxxxxxx.exe.36cfe2.1.raw.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0011E044 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	22_2_0011E044
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_000F2500 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	22_2_000F2500
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Code function: 22_2_0011ED3B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	22_2_0011ED3B

Windows Analysis Report
U8uFcjIjAR.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

ID:	1435256
Product:	CloudBasic
Start time:	11:29:06
Start date:	02.05.2024
Sample:	U8uFcjIjAR.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	91def0d39df0644ccaf67445d196c88e
SHA1:	5eb6774cdeb6b36184be7ead4c78761999aaceb4
SHA256:	ad1f57993c2137cbdf93bfa1839a4f06e46424ef57803a08dfd4495c7be0b3de
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report U8uFcjIjAR.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
U8uFcjIjAR.exe

Malware Threat Intel
Provided by