Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: INSERT_KEY_HERE |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetProcAddress |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: LoadLibraryA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: lstrcatA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: OpenEventA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CreateEventA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CloseHandle |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Sleep |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetUserDefaultLangID |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: VirtualAllocExNuma |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: VirtualFree |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetSystemInfo |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: VirtualAlloc |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: HeapAlloc |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetComputerNameA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: lstrcpyA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetProcessHeap |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetCurrentProcess |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: lstrlenA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ExitProcess |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GlobalMemoryStatusEx |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetSystemTime |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SystemTimeToFileTime |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: advapi32.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: gdi32.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: user32.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: crypt32.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ntdll.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetUserNameA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CreateDCA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetDeviceCaps |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ReleaseDC |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CryptStringToBinaryA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sscanf |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: VMwareVMware |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: HAL9TH |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: JohnDoe |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: DISPLAY |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %hu/%hu/%hu |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: http://52.143.157.84 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: /c73eed764cc59dcb.php |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: /84bad7132df89fd7/ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: pisun |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetEnvironmentVariableA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetFileAttributesA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GlobalLock |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: HeapFree |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetFileSize |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GlobalSize |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CreateToolhelp32Snapshot |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: IsWow64Process |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Process32Next |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetLocalTime |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: FreeLibrary |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetTimeZoneInformation |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetSystemPowerStatus |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetVolumeInformationA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetWindowsDirectoryA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Process32First |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetLocaleInfoA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetUserDefaultLocaleName |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetModuleFileNameA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: DeleteFileA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: FindNextFileA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: LocalFree |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: FindClose |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SetEnvironmentVariableA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: LocalAlloc |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetFileSizeEx |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ReadFile |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SetFilePointer |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: WriteFile |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CreateFileA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: FindFirstFileA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CopyFileA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: VirtualProtect |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetLogicalProcessorInformationEx |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetLastError |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: lstrcpynA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: MultiByteToWideChar |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GlobalFree |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: WideCharToMultiByte |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GlobalAlloc |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: OpenProcess |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: TerminateProcess |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetCurrentProcessId |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: gdiplus.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ole32.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: bcrypt.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: wininet.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: shlwapi.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: shell32.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: psapi.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: rstrtmgr.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CreateCompatibleBitmap |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SelectObject |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: BitBlt |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: DeleteObject |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CreateCompatibleDC |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdipGetImageEncodersSize |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdipGetImageEncoders |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdipCreateBitmapFromHBITMAP |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdiplusStartup |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdiplusShutdown |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdipSaveImageToStream |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdipDisposeImage |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GdipFree |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetHGlobalFromStream |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CreateStreamOnHGlobal |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CoUninitialize |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CoInitialize |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CoCreateInstance |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: BCryptGenerateSymmetricKey |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: BCryptCloseAlgorithmProvider |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: BCryptDecrypt |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: BCryptSetProperty |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: BCryptDestroyKey |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: BCryptOpenAlgorithmProvider |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetWindowRect |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetDesktopWindow |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetDC |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CloseWindow |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: wsprintfA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: EnumDisplayDevicesA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetKeyboardLayoutList |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CharToOemW |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: wsprintfW |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RegQueryValueExA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RegEnumKeyExA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RegOpenKeyExA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RegCloseKey |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RegEnumValueA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CryptBinaryToStringA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CryptUnprotectData |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SHGetFolderPathA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ShellExecuteExA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: InternetOpenUrlA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: InternetConnectA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: InternetCloseHandle |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: InternetOpenA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: HttpSendRequestA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: HttpOpenRequestA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: InternetReadFile |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: InternetCrackUrlA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: StrCmpCA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: StrStrA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: StrCmpCW |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: PathMatchSpecA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: GetModuleFileNameExA |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RmStartSession |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RmRegisterResources |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RmGetList |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: RmEndSession |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_open |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_prepare_v2 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_step |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_column_text |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_finalize |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_close |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_column_bytes |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3_column_blob |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: encrypted_key |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: PATH |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: C:\ProgramData\nss3.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: NSS_Init |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: NSS_Shutdown |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: PK11_GetInternalKeySlot |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: PK11_FreeSlot |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: PK11_Authenticate |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: PK11SDR_Decrypt |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: C:\ProgramData\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SELECT origin_url, username_value, password_value FROM logins |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: browser: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: profile: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: url: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: login: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: password: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Opera |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: OperaGX |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Network |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: cookies |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: .txt |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: TRUE |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: FALSE |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: autofill |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SELECT name, value FROM autofill |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: history |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SELECT url FROM urls LIMIT 1000 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: name: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: month: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: year: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: card: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Cookies |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Login Data |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Web Data |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: History |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: logins.json |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: formSubmitURL |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: usernameField |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: encryptedUsername |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: encryptedPassword |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: guid |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SELECT fieldname, value FROM moz_formhistory |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SELECT url FROM moz_places LIMIT 1000 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: cookies.sqlite |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: formhistory.sqlite |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: places.sqlite |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: plugins |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Local Extension Settings |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Sync Extension Settings |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: IndexedDB |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Opera Stable |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Opera GX Stable |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: CURRENT |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: chrome-extension_ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: _0.indexeddb.leveldb |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Local State |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: profiles.ini |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: chrome |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: opera |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: firefox |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: wallets |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %08lX%04lX%lu |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ProductName |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %d/%d/%d %d:%d:%d |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ProcessorNameString |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: DisplayName |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: DisplayVersion |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Network Info: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - IP: IP? |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Country: ISO? |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: System Summary: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - HWID: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - OS: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Architecture: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - UserName: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Computer Name: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Local Time: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - UTC: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Language: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Keyboards: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Laptop: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Running Path: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - CPU: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Threads: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Cores: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - RAM: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Display Resolution: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: - GPU: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: User Agents: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Installed Apps: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: All Users: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Current User: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Process List: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: system_info.txt |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: freebl3.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: mozglue.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: msvcp140.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: nss3.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: softokn3.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: vcruntime140.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \Temp\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: .exe |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: runas |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: open |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: /c start |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %DESKTOP% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %APPDATA% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %LOCALAPPDATA% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %USERPROFILE% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %DOCUMENTS% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %PROGRAMFILES% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %PROGRAMFILES_86% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: %RECENT% |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: *.lnk |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: files |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \discord\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \Local Storage\leveldb\CURRENT |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \Local Storage\leveldb |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \Telegram Desktop\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: key_datas |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: D877F783D5D3EF8C* |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: map* |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: A7FDF864FBC10B77* |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: A92DAA6EA6F891F2* |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: F8806DD0C461824F* |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Telegram |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: *.tox |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: *.ini |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Password |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: 00000001 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: 00000002 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: 00000003 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: 00000004 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \Outlook\accounts.txt |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Pidgin |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \.purple\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: accounts.xml |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: dQw4w9WgXcQ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: token: |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Software\Valve\Steam |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: SteamPath |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \config\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ssfn* |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: config.vdf |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: DialogConfig.vdf |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: DialogConfigOverlay*.vdf |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: libraryfolders.vdf |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: loginusers.vdf |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \Steam\ |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: sqlite3.dll |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: browsers |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: done |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: soft |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: \Discord\tokens.txt |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: /c timeout /t 5 & del /f /q " |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: " & del "C:\ProgramData\*.dll"" & exit |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: C:\Windows\system32\cmd.exe |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: https |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Content-Type: multipart/form-data; boundary=---- |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: POST |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: HTTP/1.1 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: Content-Disposition: form-data; name=" |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: hwid |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: build |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: token |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: file_name |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: file |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: message |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 |
Source: 47.2.RegAsm.exe.400000.0.unpack |
String decryptor: screenshot.jpg |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: 185.172.128.19 |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: /ghsdh39s/index.php |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: S-%lu- |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: cd1f156d67 |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Utsysc.exe |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SCHTASKS |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: /Create /SC MINUTE /MO 1 /TN |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: /TR " |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Startup |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: cmd /C RMDIR /s/q |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: rundll32 |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: /Delete /TN " |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Programs |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: %USERPROFILE% |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: cred.dll|clip.dll| |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: http:// |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: https:// |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: /Plugins/ |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: &unit= |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: shell32.dll |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: kernel32.dll |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: GetNativeSystemInfo |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: ProgramData\ |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: AVAST Software |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Kaspersky Lab |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Panda Security |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Doctor Web |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: 360TotalSecurity |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Bitdefender |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Norton |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Sophos |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Comodo |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: WinDefender |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: 0123456789 |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Content-Type: multipart/form-data; boundary=---- |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: ------ |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: ?scr=1 |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Content-Type: application/x-www-form-urlencoded |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: ComputerName |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_ |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: -unicode- |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: VideoID |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: DefaultSettings.XResolution |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: DefaultSettings.YResolution |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: ProductName |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: CurrentBuild |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: echo Y|CACLS " |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: " /P " |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: CACLS " |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: :R" /E |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: :F" /E |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: &&Exit |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: rundll32.exe |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: "taskkill /f /im " |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: " && timeout 1 && del |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: && Exit" |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: " && ren |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: Powershell.exe |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: -executionpolicy remotesigned -File " |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: shutdown -s -t 0 |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: /w']fC |
Source: 39.2.NewB.exe.e50000.0.unpack |
String decryptor: vw(hF= |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: pillowbrocccolipe.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: communicationgenerwo.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: diskretainvigorousiw.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: affordcharmcropwo.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: dismissalcylinderhostw.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: enthusiasimtitleow.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: worryfillvolcawoi.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: cleartotalfisherwo.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: affordcharmcropwo.shop |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: lid=%s&j=%s&ver=4.0 |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: TeslaBrowser/5.5 |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Screen Resoluton: |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: - Physical Installed Memory: |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: Workgroup: - |
Source: 29.2.RegAsm.exe.400000.0.unpack |
String decryptor: LGNDR1--ketamine |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe |
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe.lv |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exer.dbl |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/go.exe |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/go.exe4x |
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/go.exehCorel.ba |
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/go.exemadka.ex |
Source: d361f35322.exe, 00000024.00000003.2759415774.000000000143F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/lenin.exe |
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/lenin.exe1 |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/lenin.exe;x |
Source: d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/lenin.exea.exe68.0l |
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://193.233.132.56/cost/lenin.exew.s |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K |
Source: powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41EDE1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp |
String found in binary or memory: http://www.winimage.com/zLibDll |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.googl |
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_h |
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s |
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https |
Source: d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826081966.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826875397.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2837144727.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2 |
Source: d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.google.com/v3/signin/id |
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsig |
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa |
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://affordcharmcropwo.shop/ |
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://affordcharmcropwo.shop/api |
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D56000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://affordcharmcropwo.shop/apitemb |
Source: RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://affordcharmcropwo.shop/d |
Source: RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://affordcharmcropwo.shop/z |
Source: RegAsm.exe, 0000001D.00000002.2226894863.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://affordcharmcropwo.shop:443/apiNAME=userUSERPROFILE=C: |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41EDE1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelp |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX |
Source: jok.exe, 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp |
String found in binary or memory: https://api.ip.sb/ip |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com/ |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000140C000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104 |
Source: d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.1042 |
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.1045 |
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104N |
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104XNN |
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.104 |
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.104r |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/ |
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013E7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/5 |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000101B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/Mozilla/5.0 |
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001417000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/_ |
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp |
String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll |
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/i |
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001429000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000139F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.104 |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.104T |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.104 |
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.1048 |
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.104Uz |
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://junglethomas.com/ |
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exe |
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exev |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: https://mozilla.org0/ |
Source: powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br |
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF |
Source: d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3073575028.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORT |
Source: d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORT& |
Source: MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORT3 |
Source: d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORT8 |
Source: d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORTI |
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORTo5# |
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORTxR |
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/risepro_bot |
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/risepro_botP |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/risepro_bote |
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/risepro_botisepro_botf |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/risepro_botisepro_botw |
Source: d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822644005.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758475716.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819365667.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759415774.000000000143F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/risepro_botl |
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/risepro_botrisepro4.104 |
Source: freebl3[1].dll.51.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: d361f35322.exe |
String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address |
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2 |
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/& |
Source: d361f35322.exe, 00000009.00000003.2769151677.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2768805138.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2765865909.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767781607.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3082656269.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206207533.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824193350.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826557777.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840195887.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088844064.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758285623.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839878527.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874104366.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox |
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig |
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/privacy/firefox/ |
Source: d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/privacy/firefox/Data |
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/privacy/firefox/ces? |
Source: d361f35322.exe, 00000009.00000003.2769151677.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2768805138.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2765865909.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767781607.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3082656269.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206207533.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824193350.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826557777.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840195887.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088844064.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758285623.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839878527.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874104366.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www. |
Source: d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/privacy/firefox/r |
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.mozilla.org/privacy/firefox/ta |
Source: d361f35322.exe, 00000009.00000003.2912274365.0000000007DC2000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320418390.000000000336C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320275710.0000000003355000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320347999.0000000003358000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7258589510.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7259110109.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189145681.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3205947734.0000000007CEB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2832748402.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2836881277.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2873758197.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840628725.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2830540798.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/account |
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/account/v/ |
Source: d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/accountE |
Source: d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2832748402.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2836881277.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2873758197.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840628725.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2830540798.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088938529.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2829699050.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839577169.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826875397.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2837144727.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/accountJ |
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/accountYouTube |
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/accountYouTube/v/ |
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/accountkO |
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps% |
Source: file300un.exe, 00000032.00000002.7140120246.000001F380091000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz |
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://youtube.comVISITOR_INFO1_LIVE/ |
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://youtube.comVISITOR_INFO1_LIVEv10% |
Source: d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://youtube.comVISITOR_PRIVACY_METADATA/(9 |
Source: u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://youtube.comVISITOR_PRIVACY_METADATAv10 |
Source: d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://youtube.comYSC/)? |
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://youtube.comYSCv10 |
Source: unknown |
Process created: C:\Users\user\Desktop\1CMweaqlKp.exe "C:\Users\user\Desktop\1CMweaqlKp.exe" |
|
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" |
|
Source: unknown |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/ |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
|
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles |
|
Source: C:\Windows\System32\netsh.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main |
|
Source: unknown |
Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe |
|
Source: unknown |
Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928 |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe" |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" |
|
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe" |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: unknown unknown |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: unknown unknown |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process created: unknown unknown |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process created: unknown unknown |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: unknown unknown |
|
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: mstask.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: dui70.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: duser.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: chartv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: atlthunk.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: windows.fileexplorer.common.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: mstask.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: dui70.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: duser.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: chartv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: atlthunk.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: windows.fileexplorer.common.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: vaultcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: apphelp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: winmm.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: wininet.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: sspicli.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: iertutil.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: wldp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: profapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: winhttp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: mswsock.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: winnsi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: urlmon.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: srvcli.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: netutils.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: propsys.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: edputil.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: wintypes.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: appresolver.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: slc.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: userenv.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: sppc.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: winmm.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: wininet.dll |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: wsock32.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: version.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: winmm.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: mpr.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: wininet.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: userenv.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: wldp.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: propsys.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: profapi.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: edputil.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: urlmon.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: iertutil.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: srvcli.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: netutils.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: sspicli.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: wintypes.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: appresolver.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: slc.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: sppc.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: pcacli.dll |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: ifmon.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: mprapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: rasmontr.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: rasapi32.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: rasman.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: mfc42u.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: rasman.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: authfwcfg.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwpolicyiomgr.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: firewallapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwbase.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: dhcpcmonitor.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: dot3cfg.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: dot3api.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: onex.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: eappcfg.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: eappprxy.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwcfg.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: hnetmon.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: netshell.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: nlaapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: netsetupapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: netiohlp.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: dhcpcsvc.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: winnsi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: nettrace.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: nshhttp.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: httpapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: nshipsec.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: activeds.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: polstore.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: winipsec.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: adsldpc.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: adsldpc.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: nshwfp.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: cabinet.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: p2pnetsh.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: p2p.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: rpcnsh.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wcnnetsh.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wlanapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: whhelper.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: winhttp.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wlancfg.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wshelper.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wevtapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: mswsock.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wwancfg.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wwapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wcmapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: rmclient.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: mobilenetworking.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: peerdistsh.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: ktmw32.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: mprmsg.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\netsh.exe |
Section loaded: msasn1.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: mscoree.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: apphelp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: version.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Section loaded: cryptbase.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: apphelp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: winmm.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ncrypt.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ntasn1.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: d3d11.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: dxgi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: resourcepolicyclient.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: d3d10warp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: uxtheme.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: dxcore.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: sspicli.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: winhttp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: wininet.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: mswsock.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: devobj.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: webio.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: winnsi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: dnsapi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: schannel.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: mskeyprotect.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ncryptsslp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: msasn1.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: cryptsp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: rsaenh.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: cryptbase.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: gpapi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: vaultcli.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: wintypes.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: windows.storage.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: wldp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ntmarta.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: dpapi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: winmm.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ncrypt.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ntasn1.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: d3d11.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: dxgi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: resourcepolicyclient.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: d3d10warp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: uxtheme.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: dxcore.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: sspicli.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: winhttp.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: wininet.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: mswsock.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: devobj.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: webio.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Section loaded: winnsi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: aclayers.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winhttp.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: webio.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mswsock.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winnsi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: schannel.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mskeyprotect.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ncryptsslp.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dpapi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wbemcomn.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: version.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wbemcomn.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wininet.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kdscli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: apphelp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: wininet.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: wldp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: propsys.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: profapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: edputil.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: urlmon.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: iertutil.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: srvcli.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: netutils.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: sspicli.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: wintypes.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: appresolver.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: slc.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: userenv.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: sppc.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: winhttp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: mswsock.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: winnsi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: schannel.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: mskeyprotect.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: msasn1.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: dpapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: gpapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Section loaded: ncryptsslp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: winmm.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: d3d11.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: dxgi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: resourcepolicyclient.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: d3d10warp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: dxcore.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: sspicli.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: winhttp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: wininet.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: mswsock.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: devobj.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: webio.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: winnsi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Users\user\Desktop\1CMweaqlKp.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\1000021002\ac861238af.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7E22AF second address: 7E22B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7E22B3 second address: 7E22CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F59D3 second address: 7F59D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F59D9 second address: 7F59E3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F5C99 second address: 7F5CA5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D7471B5DEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F5CA5 second address: 7F5CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jng 00007F0D755569B6h 0x00000013 popad 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F5CC1 second address: 7F5CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F5CC7 second address: 7F5CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F5CCD second address: 7F5CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F600E second address: 7F602E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C9h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F602E second address: 7F604A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F604A second address: 7F6050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F88DE second address: 7F88FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F0D7471B5DEh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F88FD second address: 7F8904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8948 second address: 7F8984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0D7471B5E2h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F0D7471B5D6h 0x0000001d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8984 second address: 7F8A29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0D755569BCh 0x0000000f jl 00007F0D755569B6h 0x00000015 popad 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D1BDFh], edi 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D2D87h], ecx 0x00000025 or dl, FFFFFFE3h 0x00000028 push 4B0C8EAEh 0x0000002d jp 00007F0D755569CAh 0x00000033 push ebx 0x00000034 jmp 00007F0D755569C2h 0x00000039 pop ebx 0x0000003a xor dword ptr [esp], 4B0C8E2Eh 0x00000041 and edx, dword ptr [ebp+122D39C7h] 0x00000047 push 00000003h 0x00000049 mov edx, 0FCA41BAh 0x0000004e push 00000000h 0x00000050 mov ecx, dword ptr [ebp+122D3A87h] 0x00000056 push 00000003h 0x00000058 call 00007F0D755569C0h 0x0000005d mov dword ptr [ebp+122D1847h], esi 0x00000063 pop edx 0x00000064 mov dword ptr [ebp+122D3105h], eax 0x0000006a call 00007F0D755569B9h 0x0000006f push eax 0x00000070 push edx 0x00000071 jnc 00007F0D755569BCh 0x00000077 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8A29 second address: 7F8ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pop ebx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F0D7471B5DCh 0x0000001b mov eax, dword ptr [eax] 0x0000001d jng 00007F0D7471B5DCh 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edi 0x0000002a pop edi 0x0000002b pop eax 0x0000002c pop ecx 0x0000002d pop eax 0x0000002e call 00007F0D7471B5DDh 0x00000033 jo 00007F0D7471B5DCh 0x00000039 mov dword ptr [ebp+122D3168h], ecx 0x0000003f pop esi 0x00000040 add dword ptr [ebp+122D2F35h], ecx 0x00000046 lea ebx, dword ptr [ebp+1244D822h] 0x0000004c mov edx, 576335DFh 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F0D7471B5E9h 0x0000005a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8B4B second address: 7F8B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 popad 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8B64 second address: 7F8BC8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D7471B5ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007F0D7471B5ECh 0x00000011 nop 0x00000012 sbb edx, 661256BFh 0x00000018 push 00000000h 0x0000001a sub dword ptr [ebp+122D30A3h], esi 0x00000020 call 00007F0D7471B5D9h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0D7471B5DDh 0x0000002c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8BC8 second address: 7F8C04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0D755569BAh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0D755569BCh 0x00000013 pop edx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0D755569C7h 0x0000001f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8C04 second address: 7F8C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7471B5E9h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8C21 second address: 7F8C30 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8D21 second address: 7F8D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8D25 second address: 7F8D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8D2B second address: 7F8D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8DD5 second address: 7F8DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8DDC second address: 7F8ED5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D7471B5E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F0D7471B5DBh 0x00000010 nop 0x00000011 mov edx, esi 0x00000013 push 00000000h 0x00000015 mov edx, dword ptr [ebp+122D39E7h] 0x0000001b call 00007F0D7471B5D9h 0x00000020 jmp 00007F0D7471B5DDh 0x00000025 push eax 0x00000026 push eax 0x00000027 jmp 00007F0D7471B5DEh 0x0000002c pop eax 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 pushad 0x00000032 jmp 00007F0D7471B5E2h 0x00000037 jns 00007F0D7471B5DCh 0x0000003d popad 0x0000003e mov eax, dword ptr [eax] 0x00000040 jg 00007F0D7471B5F0h 0x00000046 pushad 0x00000047 jmp 00007F0D7471B5E6h 0x0000004c pushad 0x0000004d popad 0x0000004e popad 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 jnl 00007F0D7471B5E0h 0x00000059 pop eax 0x0000005a mov cx, si 0x0000005d push 00000003h 0x0000005f ja 00007F0D7471B5DCh 0x00000065 mov dword ptr [ebp+122D32CFh], ebx 0x0000006b push 00000000h 0x0000006d mov edi, dword ptr [ebp+122D39D7h] 0x00000073 jmp 00007F0D7471B5DAh 0x00000078 push 00000003h 0x0000007a mov ecx, edx 0x0000007c call 00007F0D7471B5D9h 0x00000081 jng 00007F0D7471B5E4h 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a push esi 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8ED5 second address: 7F8EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8EDA second address: 7F8F26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 jmp 00007F0D7471B5E8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F8F26 second address: 7F8F5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b adc cx, 0876h 0x00000010 lea ebx, dword ptr [ebp+1244D836h] 0x00000016 call 00007F0D755569C2h 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 80B79D second address: 80B7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 80B7A3 second address: 80B7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 80B7AB second address: 80B7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F0D7471B5EBh 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 81793E second address: 817944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817944 second address: 81794A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 81794A second address: 817967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D755569C4h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817BD8 second address: 817BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817BDC second address: 817C0D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D755569C7h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D755569BEh 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817C0D second address: 817C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817C11 second address: 817C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D755569B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817C23 second address: 817C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817C29 second address: 817C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 817EA3 second address: 817EAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8183E0 second address: 8183F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8183F5 second address: 818407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 je 00007F0D7471B5D6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 818407 second address: 81843C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569C9h 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8185BD second address: 8185CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F0D7471B5DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 818723 second address: 818769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0D755569C6h 0x0000000b jmp 00007F0D755569C1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F0D755569C6h 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 818B26 second address: 818B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 818B2A second address: 818B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jnl 00007F0D755569B6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F0D755569C2h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jc 00007F0D755569B6h 0x00000025 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 818B5C second address: 818B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 818B60 second address: 818B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0D755569B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F0D755569C3h 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F0D755569C0h 0x0000001b pop ecx 0x0000001c push eax 0x0000001d je 00007F0D755569B6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 81945F second address: 819466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82026E second address: 820273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 820273 second address: 820287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D7471B5DFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8213E1 second address: 821402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d js 00007F0D755569CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0D755569BCh 0x0000001a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 821402 second address: 82141E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D7471B5E0h 0x00000011 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82141E second address: 821424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 825070 second address: 82507A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D7471B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7EF854 second address: 7EF85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8247BD second address: 8247C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8247C1 second address: 8247CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007F0D755569B6h 0x0000000d pop edx 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8247CF second address: 8247E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a ja 00007F0D7471B5DEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824E7E second address: 824E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824E84 second address: 824EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5DCh 0x00000007 js 00007F0D7471B5D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F0D7471B5D8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007F0D7471B5D6h 0x0000001d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824EAA second address: 824EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824EAE second address: 824EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824EBD second address: 824EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824EC1 second address: 824ECB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0D7471B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824ECB second address: 824EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D755569C9h 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824EEA second address: 824EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824EEF second address: 824F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 824F09 second address: 824F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0D7471B5DDh 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827C04 second address: 827C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 js 00007F0D755569D4h 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F0D755569B6h 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827D01 second address: 827D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827D05 second address: 827D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827D09 second address: 827D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828B11 second address: 828B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828B15 second address: 828B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828B23 second address: 828B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828B27 second address: 828B3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828D3F second address: 828D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828D46 second address: 828D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0D7471B5E3h 0x00000012 popad 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828D67 second address: 828D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 828D6D second address: 828D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 829537 second address: 82953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 829EFE second address: 829F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 829D71 second address: 829D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82BAAA second address: 82BAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82A78D second address: 82A793 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82B85A second address: 82B875 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82B875 second address: 82B87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82C491 second address: 82C49B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82C49B second address: 82C4CF instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D755569C2h 0x00000008 jmp 00007F0D755569BCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edi 0x00000011 pushad 0x00000012 jmp 00007F0D755569C9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82C4CF second address: 82C568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0D7471B5D8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 sbb esi, 3B6CAB57h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F0D7471B5D8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 jno 00007F0D7471B5EAh 0x00000049 push 00000000h 0x0000004b je 00007F0D7471B5DCh 0x00000051 mov edi, dword ptr [ebp+122D39ABh] 0x00000057 jng 00007F0D7471B5DCh 0x0000005d and edi, 260D0A92h 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F0D7471B5DDh 0x0000006b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82C568 second address: 82C577 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82CF59 second address: 82CF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82D9E3 second address: 82D9EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82D9EA second address: 82DA08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jmp 00007F0D7471B5E2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82E222 second address: 82E23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569C4h 0x0000000d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82E23E second address: 82E248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0D7471B5D6h 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82EDD7 second address: 82EDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82EDDB second address: 82EDFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 ja 00007F0D7471B5F0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D7471B5E2h 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 830BF9 second address: 830BFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83134A second address: 83136F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F0D7471B5D6h 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83136F second address: 831373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8358F1 second address: 8358F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8358F8 second address: 83591A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 popad 0x0000000a pushad 0x0000000b jbe 00007F0D755569B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 836FB4 second address: 836FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jns 00007F0D7471B5D6h 0x0000000f jne 00007F0D7471B5D6h 0x00000015 popad 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 838F8F second address: 838F95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 838F95 second address: 838F9F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D7471B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8380BC second address: 8380C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8380C0 second address: 8380C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 839F55 second address: 839F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8391AF second address: 8391B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 7F135A second address: 7F1368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D755569B6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83A159 second address: 83A15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83A15D second address: 83A178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569C3h 0x0000000d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83C561 second address: 83C56B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0D7471B5D6h 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83C6EE second address: 83C71B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F0D755569CAh 0x00000012 jmp 00007F0D755569C4h 0x00000017 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83E631 second address: 83E649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D7471B5DEh 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83E649 second address: 83E64D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83E64D second address: 83E660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D7471B5DBh 0x0000000d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83E7CB second address: 83E7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83F6F4 second address: 83F75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d nop 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F0D7471B5D8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push esi 0x00000030 add dword ptr [ebp+124492C8h], esi 0x00000036 pop ebx 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e adc edi, 1E84177Bh 0x00000044 mov eax, dword ptr [ebp+122D0745h] 0x0000004a clc 0x0000004b push FFFFFFFFh 0x0000004d mov bx, 16F6h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0D7471B5DBh 0x00000059 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83F75E second address: 83F764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 842591 second address: 842597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 83D724 second address: 83D728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 842597 second address: 8425F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F0D7471B5D8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F0D7471B5D8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov ebx, 746D7CF6h 0x00000046 push 00000000h 0x00000048 mov edi, dword ptr [ebp+1244E01Ch] 0x0000004e xchg eax, esi 0x0000004f push ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 841812 second address: 841817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 841817 second address: 841821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0D7471B5D6h 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 841821 second address: 841825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8427C7 second address: 8427EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D7471B5E4h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F0D7471B5DCh 0x00000014 jnl 00007F0D7471B5D6h 0x0000001a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8427EF second address: 8427F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 84386F second address: 843873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 84A4DC second address: 84A4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 84D3AD second address: 84D3C1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D7471B5DAh 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 84D6D3 second address: 84D6E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 84D858 second address: 84D85C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 84D85C second address: 84D87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569BCh 0x0000000d jmp 00007F0D755569BCh 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 84D87C second address: 84D880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 810B05 second address: 810B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569BDh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007F0D755569B6h 0x00000015 pop eax 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8569B9 second address: 8569BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8569BF second address: 8569C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D755569B6h 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85764E second address: 85766A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F0D7471B5E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85CFA4 second address: 85CFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D755569B6h 0x0000000a popad 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D110 second address: 85D12E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D12E second address: 85D132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D256 second address: 85D25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D25C second address: 85D260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D260 second address: 85D26B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D26B second address: 85D271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D271 second address: 85D286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F0D7471B5D6h 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D286 second address: 85D290 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D755569B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D290 second address: 85D2A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D2A0 second address: 85D2A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D3C7 second address: 85D3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D3CD second address: 85D3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 85D3D7 second address: 85D3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 811628 second address: 81164F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0D755569C2h 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8618AC second address: 8618B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8265AD second address: 8265B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8265B1 second address: 810B27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0D7471B5D8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 xor dx, 0FCDh 0x0000002a call 00007F0D7471B5DDh 0x0000002f sub dword ptr [ebp+122D1BECh], eax 0x00000035 pop edx 0x00000036 call dword ptr [ebp+122D27D7h] 0x0000003c jnl 00007F0D7471B5EBh 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pushad 0x00000046 popad 0x00000047 je 00007F0D7471B5D6h 0x0000004d pop eax 0x0000004e push edi 0x0000004f pushad 0x00000050 popad 0x00000051 pop edi 0x00000052 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82668A second address: 82668E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 826A6E second address: 826A78 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 826A78 second address: 826A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 826A7E second address: 826A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 826B78 second address: 826B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 826F7B second address: 826F80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 826F80 second address: 826F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D755569BCh 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827078 second address: 8270D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0D7471B5D6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jg 00007F0D7471B5DCh 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F0D7471B5D8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jmp 00007F0D7471B5E4h 0x00000036 mov edx, dword ptr [ebp+122D3C7Bh] 0x0000003c push eax 0x0000003d push edi 0x0000003e push edi 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82744A second address: 82745C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82777C second address: 82779C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0D7471B5DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D7471B5DAh 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82779C second address: 8277A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8277A1 second address: 8277A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82785F second address: 827919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D755569BEh 0x0000000a popad 0x0000000b push eax 0x0000000c jnc 00007F0D755569D8h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0D755569B8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d jmp 00007F0D755569C8h 0x00000032 mov cx, 4B59h 0x00000036 lea eax, dword ptr [ebp+1247B356h] 0x0000003c jmp 00007F0D755569C8h 0x00000041 sub ecx, dword ptr [ebp+122D28AEh] 0x00000047 nop 0x00000048 jmp 00007F0D755569BEh 0x0000004d push eax 0x0000004e jp 00007F0D755569BEh 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827919 second address: 827962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F0D7471B5D8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Ch 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 jmp 00007F0D7471B5DCh 0x00000025 lea eax, dword ptr [ebp+1247B312h] 0x0000002b movsx ecx, ax 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 jno 00007F0D7471B5D6h 0x00000038 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827962 second address: 827966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827966 second address: 82796F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82796F second address: 827975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827975 second address: 811628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D3B47h] 0x0000000f mov edx, ebx 0x00000011 call dword ptr [ebp+122D59A4h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jmp 00007F0D7471B5DCh 0x00000021 pop ebx 0x00000022 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 861DD8 second address: 861DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8620AE second address: 8620C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F0D7471B5DEh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ecx 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8620C6 second address: 8620CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8620CC second address: 8620E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D7471B5E6h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8620E6 second address: 8620EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86B312 second address: 86B338 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0D7471B5E6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F0D7471B5D6h 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A181 second address: 86A186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A2D3 second address: 86A2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D7471B5E9h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A2F0 second address: 86A310 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F0D755569C5h 0x0000000f pop edx 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A310 second address: 86A316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A450 second address: 86A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A458 second address: 86A46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D7471B5D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F0D7471B5D6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A46D second address: 86A47F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F0D755569B6h 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86A47F second address: 86A485 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 86AB30 second address: 86AB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 871264 second address: 8712B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F0D7471B5DFh 0x0000000f jmp 00007F0D7471B5E4h 0x00000014 jmp 00007F0D7471B5E3h 0x00000019 popad 0x0000001a jnp 00007F0D7471B610h 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 874421 second address: 874425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 874425 second address: 87443F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F0D75558556h 0x00000013 ja 00007F0D75558556h 0x00000019 popad 0x0000001a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 87443F second address: 874453 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F0D755569D6h 0x00000009 jbe 00007F0D755569D6h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 874453 second address: 874457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 874457 second address: 87445D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 87445D second address: 874469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 873CC7 second address: 873CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E8h 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 87955F second address: 879575 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 js 00007F0D75558556h 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879575 second address: 879579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879579 second address: 879581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879581 second address: 87958B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0D755569D6h 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 87958B second address: 879595 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D75558556h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879595 second address: 8795E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0D755569D8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnp 00007F0D755569DEh 0x00000015 pushad 0x00000016 popad 0x00000017 je 00007F0D755569D6h 0x0000001d jc 00007F0D755569DAh 0x00000023 push edx 0x00000024 pop edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 jmp 00007F0D755569E5h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0D755569DCh 0x00000033 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879A18 second address: 879A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879A20 second address: 879A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879A24 second address: 879A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F0D75558556h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879A3A second address: 879A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879A3E second address: 879A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879A42 second address: 879A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879A48 second address: 879A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F0D75558562h 0x00000010 jnl 00007F0D75558556h 0x00000016 jc 00007F0D75558556h 0x0000001c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879D2F second address: 879D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569DFh 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007F0D755569E6h 0x00000010 jmp 00007F0D755569E7h 0x00000015 pop edi 0x00000016 jmp 00007F0D755569E7h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879D8D second address: 879D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827285 second address: 827293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DAh 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 827293 second address: 82731B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F0D75558567h 0x00000010 mov ebx, dword ptr [ebp+1247B351h] 0x00000016 xor dword ptr [ebp+122D28F8h], edi 0x0000001c add eax, ebx 0x0000001e mov dword ptr [ebp+122D295Eh], ebx 0x00000024 sub edx, 57973125h 0x0000002a nop 0x0000002b pushad 0x0000002c push edi 0x0000002d push eax 0x0000002e pop eax 0x0000002f pop edi 0x00000030 push ebx 0x00000031 push edi 0x00000032 pop edi 0x00000033 pop ebx 0x00000034 popad 0x00000035 push eax 0x00000036 jbe 00007F0D7555855Ah 0x0000003c nop 0x0000003d or ecx, 5FFEA9EBh 0x00000043 push 00000004h 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007F0D75558558h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F0D7555855Bh 0x00000069 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82731B second address: 827325 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D755569D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 879F01 second address: 879F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D75558565h 0x00000009 pop edi 0x0000000a push esi 0x0000000b jnp 00007F0D75558556h 0x00000011 jmp 00007F0D75558568h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 87A0AF second address: 87A0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 87D858 second address: 87D85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8810BB second address: 8810C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8811EF second address: 8811FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D75558556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8811FD second address: 881207 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D755569D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8814BF second address: 8814C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 889CE1 second address: 889CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D755569DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F0D755569D6h 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 889CFE second address: 889D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 889D02 second address: 889D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F0D755569DCh 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 889D17 second address: 889D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558565h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 887F61 second address: 887F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8888FA second address: 8888FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8888FE second address: 888902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 888902 second address: 888921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D75558569h 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 888BDC second address: 888BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 888E55 second address: 888E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 888E5B second address: 888E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0D755569E7h 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 888E79 second address: 888E8B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D7555855Ch 0x00000008 jno 00007F0D75558556h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 888E8B second address: 888E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 888E8F second address: 888E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 889A1D second address: 889A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D755569D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8932C9 second address: 8932D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8932D3 second address: 8932F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F0D755569D8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F0D755569E1h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8932F9 second address: 8932FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89245E second address: 892462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 892753 second address: 89275E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D75558556h 0x0000000a popad 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89275E second address: 89277C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89277C second address: 892788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 892788 second address: 89278E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89278E second address: 892796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 892796 second address: 89279B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8928EB second address: 8928F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8928F8 second address: 892917 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D755569E2h 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 892D69 second address: 892D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 892D6F second address: 892D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569E8h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 892EB9 second address: 892EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 899D45 second address: 899D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89A2C1 second address: 89A2C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89A43F second address: 89A44F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D755569DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89A44F second address: 89A46F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558569h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89A7A5 second address: 89A7D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F0D755569E5h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89AB77 second address: 89AB7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89AB7F second address: 89AB93 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D755569D6h 0x00000008 je 00007F0D755569D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89AB93 second address: 89AB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89AB97 second address: 89ABB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D755569D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F0D755569DAh 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89ABB1 second address: 89ABB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89B2B4 second address: 89B2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89B2BB second address: 89B2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 ja 00007F0D75558556h 0x0000000c popad 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D7555855Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89B2D9 second address: 89B2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 89987E second address: 899894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D7555855Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 899894 second address: 8998CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D755569E9h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8998CE second address: 8998D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8998D2 second address: 8998DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8998DA second address: 8998E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8998E2 second address: 8998E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8998E6 second address: 8998F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8998F2 second address: 899906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569E0h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 899906 second address: 89990A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8A31CF second address: 8A31F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D755569D6h 0x00000008 jmp 00007F0D755569E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F0D755569D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B0344 second address: 8B0352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0D75558556h 0x0000000e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B3B05 second address: 8B3B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B3B09 second address: 8B3B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B34B0 second address: 8B34B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B364D second address: 8B3654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B3654 second address: 8B3667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DFh 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B3667 second address: 8B366B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B366B second address: 8B3674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B5B53 second address: 8B5B59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B5843 second address: 8B5847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8B5847 second address: 8B584D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CCFB1 second address: 8CCFB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CCFB5 second address: 8CCFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0D7555856Ah 0x0000000c jns 00007F0D75558556h 0x00000012 jmp 00007F0D7555855Eh 0x00000017 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD119 second address: 8CD11F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD268 second address: 8CD26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD26E second address: 8CD272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD272 second address: 8CD27E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D75558556h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD27E second address: 8CD289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F0D755569D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD64C second address: 8CD651 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD651 second address: 8CD657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD657 second address: 8CD682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0D7555855Ah 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558565h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD682 second address: 8CD68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D755569D6h 0x0000000a pop edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8CD95E second address: 8CD962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8D13AA second address: 8D13B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E4086 second address: 8E40C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jl 00007F0D75558556h 0x00000016 jp 00007F0D75558556h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f pushad 0x00000020 jc 00007F0D75558556h 0x00000026 push edx 0x00000027 pop edx 0x00000028 jmp 00007F0D75558561h 0x0000002d popad 0x0000002e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E40C0 second address: 8E40DD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D755569E8h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E3E76 second address: 8E3E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0D75558569h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E3E9A second address: 8E3E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E3E9E second address: 8E3EC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0D75558569h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E3EC7 second address: 8E3ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E3ECB second address: 8E3ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8E1412 second address: 8E1421 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0D755569D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F1350 second address: 8F1354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F1354 second address: 8F135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F135A second address: 8F137D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnp 00007F0D75558556h 0x00000011 js 00007F0D75558556h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F137D second address: 8F1387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F0EAC second address: 8F0EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558567h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F0EC8 second address: 8F0ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F0ECE second address: 8F0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007F0D75558558h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007F0D7555856Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F0F00 second address: 8F0F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 8F1084 second address: 8F108C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 90B9E5 second address: 90BA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F0D755569EFh 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 90BA0E second address: 90BA18 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D7555855Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 90BB68 second address: 90BB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 90BB6E second address: 90BB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 90BE47 second address: 90BE4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 90C28F second address: 90C2E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558564h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0D75558566h 0x0000000e jbe 00007F0D7555855Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0D75558569h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 90C494 second address: 90C498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 910C76 second address: 910C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D75558563h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 910F96 second address: 91102B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F0D755569E2h 0x00000012 push dword ptr [ebp+122D29ACh] 0x00000018 xor dword ptr [ebp+122D29A6h], edx 0x0000001e call 00007F0D755569D9h 0x00000023 jnc 00007F0D755569E5h 0x00000029 push eax 0x0000002a jng 00007F0D755569E9h 0x00000030 jmp 00007F0D755569E3h 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 jnc 00007F0D755569E2h 0x0000003f mov eax, dword ptr [eax] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push edx 0x00000045 pop edx 0x00000046 push eax 0x00000047 pop eax 0x00000048 popad 0x00000049 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 91102B second address: 911040 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F0D75558556h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 913E43 second address: 913E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jng 00007F0D755569D6h 0x0000000f pop edx 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 913E53 second address: 913E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D7555855Ch 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007F0D75558556h 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 913E73 second address: 913E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 9139BD second address: 9139C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 9139C8 second address: 9139CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD0021 second address: 4FD0026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD0026 second address: 4FD002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD002C second address: 4FD0030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD0030 second address: 4FD0054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx ebx, cx 0x00000010 mov ch, 59h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD0054 second address: 4FD0059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD0059 second address: 4FD0089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569E5h 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0DA1 second address: 4FB0DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D75558561h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0DB6 second address: 4FB0DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D755569DDh 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0DDD second address: 4FB0E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D75558567h 0x00000009 sub si, 7DAEh 0x0000000e jmp 00007F0D75558569h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push esi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edx 0x0000001d call 00007F0D75558564h 0x00000022 pushfd 0x00000023 jmp 00007F0D75558562h 0x00000028 and al, FFFFFF88h 0x0000002b jmp 00007F0D7555855Bh 0x00000030 popfd 0x00000031 pop ecx 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0D75558562h 0x0000003b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0E6D second address: 4FB0E9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DCh 0x00000009 xor eax, 06CD4718h 0x0000000f jmp 00007F0D755569DBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0E9A second address: 4FB0E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0E9E second address: 4FB0EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0EA4 second address: 4FB0EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 500000E second address: 50000E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569E1h 0x00000009 add ecx, 57196D96h 0x0000000f jmp 00007F0D755569E1h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0D755569DAh 0x00000022 add eax, 2A93D5B8h 0x00000028 jmp 00007F0D755569DBh 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007F0D755569E8h 0x00000034 and si, 9018h 0x00000039 jmp 00007F0D755569DBh 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007F0D755569E9h 0x00000046 xchg eax, ebp 0x00000047 pushad 0x00000048 movzx ecx, di 0x0000004b pushfd 0x0000004c jmp 00007F0D755569E9h 0x00000051 sbb cx, 9316h 0x00000056 jmp 00007F0D755569E1h 0x0000005b popfd 0x0000005c popad 0x0000005d mov ebp, esp 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50000E3 second address: 50000E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50000E7 second address: 50000EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50000EB second address: 50000F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F9014F second address: 4F90154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90154 second address: 4F901BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0D75558566h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 75369F14h 0x00000016 pushfd 0x00000017 jmp 00007F0D7555855Dh 0x0000001c jmp 00007F0D7555855Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F0D75558560h 0x0000002d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F901BD second address: 4F901C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F901C1 second address: 4F901C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0B78 second address: 4FB0BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ch, dl 0x0000000d mov edx, esi 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F0D755569E2h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F0D755569DDh 0x00000021 xor cx, 9536h 0x00000026 jmp 00007F0D755569E1h 0x0000002b popfd 0x0000002c mov cx, 9127h 0x00000030 popad 0x00000031 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB07A9 second address: 4FB07AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB07AD second address: 4FB07F5 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 4Ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F0D755569DFh 0x0000000b mov si, AD5Fh 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0D755569E0h 0x00000019 adc ecx, 0DF9DDC8h 0x0000001f jmp 00007F0D755569DBh 0x00000024 popfd 0x00000025 pushad 0x00000026 mov ecx, 3E933555h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB07F5 second address: 4FB080B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov cl, 37h 0x0000000a movsx edi, cx 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB080B second address: 4FB080F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB080F second address: 4FB0813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0813 second address: 4FB0819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB06F7 second address: 4FB0757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0D75558563h 0x00000009 mov edi, eax 0x0000000b pop ecx 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov esi, edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 movsx ebx, cx 0x0000001c pushad 0x0000001d mov ecx, 1FA6E7A9h 0x00000022 pushfd 0x00000023 jmp 00007F0D75558566h 0x00000028 xor ax, BF78h 0x0000002d jmp 00007F0D7555855Bh 0x00000032 popfd 0x00000033 popad 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0757 second address: 4FB075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, di 0x00000007 popad 0x00000008 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0503 second address: 4FB0509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0509 second address: 4FB050D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB050D second address: 4FB053E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558563h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558565h 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FC01F1 second address: 4FC01F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FC01F7 second address: 4FC01FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FC01FD second address: 4FC025F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0D755569E0h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0D755569E1h 0x00000019 and eax, 63D39056h 0x0000001f jmp 00007F0D755569E1h 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 mov ecx, 6AB4CB1Dh 0x0000002c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0F14 second address: 4FF0F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F0D75558563h 0x00000011 pop eax 0x00000012 jmp 00007F0D75558569h 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F0D75558561h 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0F73 second address: 4FF0F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0F77 second address: 4FF0F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0F7B second address: 4FF0F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0F81 second address: 4FF0F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0F87 second address: 4FF0F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD0302 second address: 4FD0357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 call 00007F0D7555855Bh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 mov ax, 2611h 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c pushad 0x0000001d mov ch, 22h 0x0000001f mov dx, C180h 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 jmp 00007F0D7555855Fh 0x0000002b mov eax, dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0D75558565h 0x00000035 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FD0357 second address: 4FD03CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DAh 0x00000009 sub ax, 0228h 0x0000000e jmp 00007F0D755569DBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and dword ptr [eax], 00000000h 0x0000001a jmp 00007F0D755569E6h 0x0000001f and dword ptr [eax+04h], 00000000h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0D755569DAh 0x0000002a or ah, FFFFFFB8h 0x0000002d jmp 00007F0D755569DBh 0x00000032 popfd 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F0D755569E5h 0x0000003c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0626 second address: 4FB062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB062A second address: 4FB0630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0630 second address: 4FB0636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0636 second address: 4FB0652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569DFh 0x00000012 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0652 second address: 4FB0656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0656 second address: 4FB065C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB065C second address: 4FB066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Bh 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0768 second address: 4FF076E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF076E second address: 4FF07A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558564h 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF07A2 second address: 4FF07A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF07A7 second address: 4FF083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, E8C2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0D7555855Fh 0x00000013 and eax, 2F0F17BEh 0x00000019 jmp 00007F0D75558569h 0x0000001e popfd 0x0000001f mov ah, 21h 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F0D75558569h 0x0000002b add cx, B4A6h 0x00000030 jmp 00007F0D75558561h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 pushfd 0x00000039 jmp 00007F0D7555855Eh 0x0000003e sub eax, 6EEEEA48h 0x00000044 jmp 00007F0D7555855Bh 0x00000049 popfd 0x0000004a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF083E second address: 4FF08AE instructions: 0x00000000 rdtsc 0x00000002 call 00007F0D755569E8h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F0D755569DEh 0x00000011 mov dword ptr [esp], ecx 0x00000014 jmp 00007F0D755569E0h 0x00000019 mov eax, dword ptr [76FB65FCh] 0x0000001e jmp 00007F0D755569E0h 0x00000023 test eax, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0D755569E7h 0x0000002c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF08AE second address: 4FF08FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0253C60Ah 0x00000008 push edi 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007F0DE749B601h 0x00000013 pushad 0x00000014 mov ecx, edx 0x00000016 push ebx 0x00000017 movzx esi, di 0x0000001a pop edx 0x0000001b popad 0x0000001c mov ecx, eax 0x0000001e jmp 00007F0D7555855Ah 0x00000023 xor eax, dword ptr [ebp+08h] 0x00000026 jmp 00007F0D75558561h 0x0000002b and ecx, 1Fh 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0D7555855Dh 0x00000035 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF08FC second address: 4FF0923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, EBh 0x00000005 jmp 00007F0D755569E8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ror eax, cl 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0923 second address: 4FF093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0D75558563h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF093C second address: 4FF0942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FF0942 second address: 4FF0946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA001D second address: 4FA00AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F0D755569E8h 0x0000000b and ah, 00000048h 0x0000000e jmp 00007F0D755569DBh 0x00000013 popfd 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 push edx 0x00000018 mov ax, A851h 0x0000001c pop eax 0x0000001d mov si, bx 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 call 00007F0D755569DFh 0x00000028 pop edx 0x00000029 pushfd 0x0000002a jmp 00007F0D755569E4h 0x0000002f adc esi, 4D1E1308h 0x00000035 jmp 00007F0D755569DBh 0x0000003a popfd 0x0000003b popad 0x0000003c mov ebp, esp 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0D755569E5h 0x00000045 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA00AA second address: 4FA00CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d mov edi, eax 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA00CF second address: 4FA00D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA00D3 second address: 4FA00EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558563h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA00EA second address: 4FA015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0D755569E7h 0x00000011 add cx, 4C1Eh 0x00000016 jmp 00007F0D755569E9h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ecx 0x0000001e jmp 00007F0D755569DDh 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0D755569DDh 0x0000002b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA015F second address: 4FA016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Ch 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA016F second address: 4FA01CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pushfd 0x0000000f jmp 00007F0D755569E2h 0x00000014 xor ax, 96D8h 0x00000019 jmp 00007F0D755569DBh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 movsx edx, ax 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F0D755569E0h 0x0000002a mov ebx, dword ptr [ebp+10h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0D755569DAh 0x00000036 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA01CE second address: 4FA01D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA01D4 second address: 4FA01E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DDh 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA01E5 second address: 4FA0237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov esi, 064700E3h 0x00000012 mov di, ax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F0D75558565h 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e push edi 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 popad 0x00000023 mov esi, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F0D7555855Eh 0x0000002d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0237 second address: 4FA0259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ebx, 3C2B8BF6h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bx, B1FCh 0x00000019 mov bl, F1h 0x0000001b popad 0x0000001c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0259 second address: 4FA0291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 60961600h 0x00000008 pushfd 0x00000009 jmp 00007F0D75558569h 0x0000000e jmp 00007F0D7555855Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0291 second address: 4FA0295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0295 second address: 4FA02B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA02B0 second address: 4FA030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DFh 0x00000009 xor cl, FFFFFFEEh 0x0000000c jmp 00007F0D755569E9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0D755569E0h 0x00000018 adc eax, 35775B68h 0x0000001e jmp 00007F0D755569DBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 test esi, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA030E second address: 4FA0312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0312 second address: 4FA0318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0318 second address: 4FA035F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0DE74E6845h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F0D7555855Eh 0x00000016 adc si, 18F8h 0x0000001b jmp 00007F0D7555855Bh 0x00000020 popfd 0x00000021 mov si, 8E2Fh 0x00000025 popad 0x00000026 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA035F second address: 4FA0365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0365 second address: 4FA03E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4ED4F03Bh 0x00000008 pushfd 0x00000009 jmp 00007F0D75558560h 0x0000000e sbb eax, 61A16288h 0x00000014 jmp 00007F0D7555855Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d je 00007F0DE74E67EEh 0x00000023 pushad 0x00000024 mov ebx, ecx 0x00000026 mov ecx, 4F362AF7h 0x0000002b popad 0x0000002c mov edx, dword ptr [esi+44h] 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F0D7555855Fh 0x00000038 sbb cx, 077Eh 0x0000003d jmp 00007F0D75558569h 0x00000042 popfd 0x00000043 jmp 00007F0D75558560h 0x00000048 popad 0x00000049 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA03E8 second address: 4FA0414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569E1h 0x00000009 sbb ch, 00000066h 0x0000000c jmp 00007F0D755569E1h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0414 second address: 4FA0433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D75558563h 0x00000011 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0433 second address: 4FA0465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D755569DDh 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0465 second address: 4FA046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA046B second address: 4FA04BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0DE74E4BEBh 0x0000000e jmp 00007F0D755569DFh 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b popad 0x0000001c jne 00007F0DE74E4BE6h 0x00000022 jmp 00007F0D755569DAh 0x00000027 test bl, 00000007h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0D755569E7h 0x00000031 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F908C1 second address: 4F908C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F908C7 second address: 4F908F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d movsx ebx, ax 0x00000010 pop ecx 0x00000011 mov dl, D2h 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F908F3 second address: 4F908F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F908F7 second address: 4F9090A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F9090A second address: 4F9093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007F0D75558560h 0x0000000c add esi, 32756E58h 0x00000012 jmp 00007F0D7555855Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F9093D second address: 4F90941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90941 second address: 4F9095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F9095C second address: 4F909DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 61598CDAh 0x00000008 pushfd 0x00000009 jmp 00007F0D755569DBh 0x0000000e adc cl, 0000007Eh 0x00000011 jmp 00007F0D755569E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F0D755569E1h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0D755569E3h 0x0000002a sbb ch, 0000003Eh 0x0000002d jmp 00007F0D755569E9h 0x00000032 popfd 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F909DA second address: 4F90A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov edi, 5AD05D4Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 call 00007F0D7555855Eh 0x00000015 mov bx, ax 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F0D75558567h 0x0000001f adc ch, FFFFFFAEh 0x00000022 jmp 00007F0D75558569h 0x00000027 popfd 0x00000028 popad 0x00000029 mov dword ptr [esp], esi 0x0000002c jmp 00007F0D7555855Eh 0x00000031 mov esi, dword ptr [ebp+08h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90A4C second address: 4F90A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90A69 second address: 4F90AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558567h 0x00000008 call 00007F0D75558568h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebx, 00000000h 0x00000016 jmp 00007F0D7555855Eh 0x0000001b test esi, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90AB9 second address: 4F90AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 0E499ADEh 0x00000009 popad 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90AC3 second address: 4F90AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558564h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0DE74EDE09h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90AE7 second address: 4F90B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ax, B5A1h 0x00000016 pushfd 0x00000017 jmp 00007F0D755569DEh 0x0000001c xor ah, 00000038h 0x0000001f jmp 00007F0D755569DBh 0x00000024 popfd 0x00000025 popad 0x00000026 mov di, cx 0x00000029 popad 0x0000002a mov ecx, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90B31 second address: 4F90B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0D7555855Dh 0x0000000a sbb ecx, 4C556BD6h 0x00000010 jmp 00007F0D75558561h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90B5C second address: 4F90B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DCh 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90B6C second address: 4F90BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0DE74EDD7Ch 0x00000011 jmp 00007F0D75558566h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d pushad 0x0000001e call 00007F0D7555855Eh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90BB1 second address: 4F90C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 jne 00007F0DE74EC1D5h 0x0000000c pushad 0x0000000d jmp 00007F0D755569E8h 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 jmp 00007F0D755569DDh 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F0D755569DCh 0x00000026 sbb cx, 3848h 0x0000002b jmp 00007F0D755569DBh 0x00000030 popfd 0x00000031 mov eax, 581553BFh 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90C17 second address: 4F90C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90C1B second address: 4F90C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90C1F second address: 4F90C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90C25 second address: 4F90CBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F0D755569DBh 0x0000000b or eax, 7CD0CB3Eh 0x00000011 jmp 00007F0D755569E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0D755569DCh 0x00000022 add si, 2838h 0x00000027 jmp 00007F0D755569DBh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F0D755569E8h 0x00000033 sbb cl, FFFFFF98h 0x00000036 jmp 00007F0D755569DBh 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0D755569E5h 0x00000045 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90CBA second address: 4F90CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Ch 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90CCA second address: 4F90D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0D755569E3h 0x00000012 or esi, 3F69D56Eh 0x00000018 jmp 00007F0D755569E9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0D755569E0h 0x00000024 sbb ax, 78E8h 0x00000029 jmp 00007F0D755569DBh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90D2D second address: 4F90D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4F90D33 second address: 4F90D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0A2B second address: 4FA0A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F0D75558567h 0x00000010 mov cx, 175Fh 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F0D75558562h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0A81 second address: 4FA0A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FA0A85 second address: 4FA0A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 502069D second address: 50206A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50206A3 second address: 50206A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50206A7 second address: 50206AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82A9F9 second address: 82A9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 82ADC9 second address: 82ADCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010675 second address: 501067B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 501067B second address: 501067F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 501067F second address: 5010695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D7555855Bh 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010695 second address: 501069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 501069B second address: 501069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 501069F second address: 50106A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50106A3 second address: 50106B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov al, 39h 0x0000000c mov bx, BDDCh 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50106B9 second address: 50106D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dh, 85h 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D755569E1h 0x00000011 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0278 second address: 4FB0282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 0413528Eh 0x00000009 popad 0x0000000a rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0282 second address: 4FB0291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DBh 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB0291 second address: 4FB02BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D7555855Ch 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB02BF second address: 4FB02C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB02C5 second address: 4FB02C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 4FB02C9 second address: 4FB02E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D755569E4h 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50109EE second address: 50109F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50109F2 second address: 50109F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 50109F8 second address: 5010A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Bh 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010A07 second address: 5010A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D755569DDh 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010A36 second address: 5010A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010A3C second address: 5010AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F0D755569E6h 0x00000012 push dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov si, di 0x0000001b pushfd 0x0000001c jmp 00007F0D755569E9h 0x00000021 xor ah, FFFFFFF6h 0x00000024 jmp 00007F0D755569E1h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010AA6 second address: 5010ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov di, 667Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop edx 0x00000014 mov di, ax 0x00000017 popad 0x00000018 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010ABE second address: 5010AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010AC4 second address: 5010AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010AC8 second address: 5010ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push DC8A490Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010ADB second address: 5010ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010ADF second address: 5010AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010B60 second address: 5010B66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010B66 second address: 5010B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010B6C second address: 5010B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010B70 second address: 5010B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b movzx eax, al 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D755569DDh 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe |
RDTSC instruction interceptor: First address: 5010B99 second address: 5010BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push edx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov bh, 07h 0x00000011 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: 978065 second address: 97807B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569E2h 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF82CE second address: AF82D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF72CC second address: AF72F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0D755569DEh 0x0000000b jmp 00007F0D755569E2h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF72F7 second address: AF72FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF72FB second address: AF730B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F0D755569D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF730B second address: AF7311 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF7457 second address: AF7481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 popad 0x00000008 jnp 00007F0D755569FCh 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F0D755569E4h 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF7481 second address: AF7485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF78AC second address: AF78B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF7B2A second address: AF7B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnc 00007F0D75558556h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
RDTSC instruction interceptor: First address: AF7B3F second address: AF7B48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Queries volume information: C:\Users\user\1000021002\ac861238af.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe |
Queries volume information: C:\Users\user\1000021002\ac861238af.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Queries volume information: unknown VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.docx VolumeInformation |
|
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation |
|
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.xlsx VolumeInformation |
|
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformation |
|
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation |
|
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformation |
|
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformation |
|
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation |
|
Source: C:\Windows\System32\netsh.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Queries volume information: unknown VolumeInformation |
|
Source: C:\ProgramData\MPGPH131\MPGPH131.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
|
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\Application Data\Mozilla\Firefox |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg |
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik |
Source: C:\Windows\System32\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT |
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe |
File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj |