Edit tour

Windows Analysis Report
1CMweaqlKp.exe

Overview

General Information

Sample name:	1CMweaqlKp.exe renamed because original name is a hash value
Original sample name:	8a19d654cb37e4e51be045acaf097e74.exe
Analysis ID:	1436254
MD5:	8a19d654cb37e4e51be045acaf097e74
SHA1:	7a3a86421a806d2ba66ae84e86305847c8b1f766
SHA256:	59b3af1a244a082219116ed9b496de99236b01ae42df75bf4211ed2b7069bc4b
Tags:	32exetrojan
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected RedLine Stealer

Yara detected RisePro Stealer

Yara detected SmokeLoader

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Disables UAC (registry)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

Potentially malicious time measurement code found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

1CMweaqlKp.exe (PID: 2912 cmdline: "C:\Users\user\Desktop\1CMweaqlKp.exe" MD5: 8A19D654CB37E4E51BE045ACAF097E74)

explorta.exe (PID: 6676 cmdline: "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" MD5: 8A19D654CB37E4E51BE045ACAF097E74)

explorta.exe (PID: 8160 cmdline: "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" MD5: 8A19D654CB37E4E51BE045ACAF097E74)

amert.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe" MD5: E67C8B3E5EC9F64052FCD2F45341CFA5)

explorha.exe (PID: 5664 cmdline: "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" MD5: E67C8B3E5EC9F64052FCD2F45341CFA5)

rundll32.exe (PID: 4460 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4076 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: EF3179D498793BF4234F708D3BE28633)

netsh.exe (PID: 1832 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 352 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

swiiiii.exe (PID: 2588 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe" MD5: 1C7D0F34BB1D85B5D2C01367CC8F62EF)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5348 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 8080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 8060 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)

NewB.exe (PID: 2336 cmdline: "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" MD5: 0099A99F5FFB3C3AE78AF0084136FAB3)

schtasks.exe (PID: 8260 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ISetup8.exe (PID: 8700 cmdline: "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe" MD5: 85D23A7E1BF2207A3FA825136090E00D)

u6po.0.exe (PID: 8000 cmdline: "C:\Users\user\AppData\Local\Temp\u6po.0.exe" MD5: F2CE35E5AA2A7771759D7F424F2803AC)

toolspub1.exe (PID: 9168 cmdline: "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe" MD5: A9C28724B16C3BB3AF2FDB5AA9BE277C)

jok.exe (PID: 8672 cmdline: "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe" MD5: 8510BCF5BC264C70180ABE78298E4D5B)

swiiii.exe (PID: 8936 cmdline: "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe" MD5: 586F7FECACD49ADAB650FAE36E2DB994)

conhost.exe (PID: 8944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 9008 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

file300un.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" MD5: 18B50C6016CD5D7FF2F01B71A5E3373B)

powershell.exe (PID: 7708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 8748 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

d361f35322.exe (PID: 5772 cmdline: "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" MD5: C1BF02296C415ABC8B1F0ED13088D96D)

schtasks.exe (PID: 6180 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7724 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ac861238af.exe (PID: 6604 cmdline: "C:\Users\user\1000021002\ac861238af.exe" MD5: 34C3E84E001DB4CF23A94BE34D462F11)

chrome.exe (PID: 8052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1028 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7340 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8840 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

explorta.exe (PID: 8016 cmdline: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe MD5: 8A19D654CB37E4E51BE045ACAF097E74)

explorha.exe (PID: 7400 cmdline: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe MD5: E67C8B3E5EC9F64052FCD2F45341CFA5)

MPGPH131.exe (PID: 6636 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: C1BF02296C415ABC8B1F0ED13088D96D)

MPGPH131.exe (PID: 6008 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: C1BF02296C415ABC8B1F0ED13088D96D)

d361f35322.exe (PID: 8200 cmdline: "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" MD5: C1BF02296C415ABC8B1F0ED13088D96D)

NewB.exe (PID: 8664 cmdline: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe MD5: 0099A99F5FFB3C3AE78AF0084136FAB3)

RageMP131.exe (PID: 8964 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: C1BF02296C415ABC8B1F0ED13088D96D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "affordcharmcropwo.shop"], "Build id": "LGNDR1--ketamine"}

Threatname: Vidar

{"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}

Threatname: Amadey

{"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}

Threatname: RedLine

{"C2 url": ["185.215.113.67:26260"], "Bot Id": "Test1234", "Authorization Header": "bed37b7c341f364ee692c5adfa824881"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\jok[1].exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000003.1721215690.00000000011E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000027.00000000.2050930258.0000000000E51000.00000020.00000001.01000000.00000015.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000023.00000000.2011865777.0000000000E51000.00000020.00000001.01000000.00000015.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x624:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000003.1626992485.00000000014C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000B.00000003.1904362561.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.1663910421.0000000000C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x224:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.1868102298.0000000000611000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.1663899661.0000000000731000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000003.1826787054.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000005.00000002.1732128904.0000000000701000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000027.00000002.2069776940.0000000000E51000.00000020.00000001.01000000.00000015.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.1945079164.0000000000931000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000003.1894101326.0000000005260000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000024.00000003.2840195887.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000031.00000002.2228939653.00000000034F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000031.00000002.2228816968.0000000001B2B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6a3c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000024.00000003.2839878527.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: d361f35322.exe PID: 5772	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: d361f35322.exe PID: 5772	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6636	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5348	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: powershell.exe PID: 352	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: d361f35322.exe PID: 8200	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: d361f35322.exe PID: 8200	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jok.exe PID: 8672	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 8964	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: file300un.exe PID: 7556	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author
47.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
47.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
47.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
47.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
51.3.u6po.0.exe.3680000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
51.3.u6po.0.exe.3680000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
50.2.file300un.exe.1f3800d4830.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
44.2.swiiii.exe.3cb5570.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
44.2.swiiii.exe.3cb5570.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
50.2.file300un.exe.1f3800d7298.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
40.0.jok.exe.7c0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
35.0.NewB.exe.e50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
39.0.NewB.exe.e50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
44.2.swiiii.exe.3cb5570.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.2.explorha.exe.930000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
51.3.u6po.0.exe.3680000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
51.3.u6po.0.exe.3680000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
44.2.swiiii.exe.3cb5570.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
39.2.NewB.exe.e50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.2.amert.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.1CMweaqlKp.exe.730000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.explorta.exe.700000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe, ProcessId: 6676, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d361f35322.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe, ParentProcessId: 7556, ParentProcessName: file300un.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force, ProcessId: 7708, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 4076, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 352, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe, ProcessId: 6676, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d361f35322.exe

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 4076, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 352, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe, ParentProcessId: 5772, ParentProcessName: d361f35322.exe, ProcessCommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, ProcessId: 6180, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe, ParentProcessId: 2336, ParentProcessName: NewB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F, ProcessId: 8260, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 4076, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 352, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 4076, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 1832, ProcessName: netsh.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1CMweaqlKp.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: 185.215.113.67:26260	Avira URL Cloud: Label: malware
Source: http://147.45.47.102:57893/hera/amadka.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\1000021002\ac861238af.exe	Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	Avira: detection malicious, Label: TR/Redcap.pernp

Found malware configuration

Source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}
Source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 39.2.NewB.exe.e50000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}
Source: 40.0.jok.exe.7c0000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:26260"], "Bot Id": "Test1234", "Authorization Header": "bed37b7c341f364ee692c5adfa824881"}
Source: 29.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "affordcharmcropwo.shop"], "Build id": "LGNDR1--ketamine"}

Multi AV Scanner detection for domain / URL

Source: 185.215.113.67:26260	Virustotal: Detection: 16%	Perma Link
Source: pillowbrocccolipe.shop	Virustotal: Detection: 18%	Perma Link
Source: cleartotalfisherwo.shop	Virustotal: Detection: 18%	Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.php	Virustotal: Detection: 19%	Perma Link
Source: https://affordcharmcropwo.shop/d	Virustotal: Detection: 9%	Perma Link
Source: worryfillvolcawoi.shop	Virustotal: Detection: 18%	Perma Link
Source: https://affordcharmcropwo.shop/z	Virustotal: Detection: 13%	Perma Link
Source: http://193.233.132.56/cost/lenin.exe1	Virustotal: Detection: 21%	Perma Link
Source: diskretainvigorousiw.shop	Virustotal: Detection: 18%	Perma Link
Source: communicationgenerwo.shop	Virustotal: Detection: 17%	Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe	Virustotal: Detection: 19%	Perma Link
Source: https://junglethomas.com/	Virustotal: Detection: 11%	Perma Link
Source: http://193.233.132.56/cost/go.exe	Virustotal: Detection: 25%	Perma Link
Source: affordcharmcropwo.shop	Virustotal: Detection: 17%	Perma Link
Source: http://193.233.132.56/cost/go.exemadka.ex	Virustotal: Detection: 21%	Perma Link
Source: enthusiasimtitleow.shop	Virustotal: Detection: 17%	Perma Link
Source: https://affordcharmcropwo.shop/api	Virustotal: Detection: 21%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\1000021002\ac861238af.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	Virustotal: Detection: 43%	Perma Link
Source: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	Virustotal: Detection: 43%	Perma Link
Source: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	Virustotal: Detection: 43%	Perma Link
Source: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	Virustotal: Detection: 43%	Perma Link
Source: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	Virustotal: Detection: 43%	Perma Link
Source: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	Virustotal: Detection: 84%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe	Virustotal: Detection: 57%	Perma Link

Multi AV Scanner detection for submitted file

Source: 1CMweaqlKp.exe	ReversingLabs: Detection: 50%
Source: 1CMweaqlKp.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	Joe Sandbox ML: detected
Source: C:\Users\user\1000021002\ac861238af.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\file300un[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\GIz2DLitsyoTn14REJti2nqN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1CMweaqlKp.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Sleep
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: user32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sscanf
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: http://52.143.157.84
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: /c73eed764cc59dcb.php
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: /84bad7132df89fd7/
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: pisun
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: HeapFree
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Process32Next
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Process32First
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: LocalFree
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: FindClose
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ReadFile
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: WriteFile
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetLastError
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SelectObject
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: BitBlt
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GdipFree
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetDC
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: StrStrA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RmGetList
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: PATH
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: browser:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: profile:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: url:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: login:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: password:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Opera
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: OperaGX
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Network
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: cookies
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: .txt
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: TRUE
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: FALSE
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: autofill
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: history
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: name:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: month:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: year:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: card:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Cookies
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Login Data
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Web Data
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: History
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: logins.json
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: usernameField
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: guid
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: plugins
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: CURRENT
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Local State
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: chrome
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: opera
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: firefox
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: wallets
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ProductName
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ProcessorNameString
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: DisplayName
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Network Info:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: System Summary:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - HWID:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - OS:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - UserName:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - UTC:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Language:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - CPU:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Threads:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Cores:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - RAM:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: - GPU:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: User Agents:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: All Users:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Current User:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Process List:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \Temp\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: .exe
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: runas
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: open
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: /c start
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: *.lnk
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: files
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \discord\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: key_datas
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: map*
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Telegram
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: *.tox
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: *.ini
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Password
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000001
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000002
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000003
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: 00000004
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Pidgin
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \.purple\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: token:
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: SteamPath
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \config\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ssfn*
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: config.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \Steam\
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: browsers
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: done
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: soft
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: https
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: POST
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: hwid
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: build
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: token
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: file_name
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: file
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: message
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 47.2.RegAsm.exe.400000.0.unpack	String decryptor: screenshot.jpg
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: 185.172.128.19
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: /ghsdh39s/index.php
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: S-%lu-
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: cd1f156d67
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Utsysc.exe
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SCHTASKS
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: /TR "
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Startup
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: rundll32
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: /Delete /TN "
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Programs
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: %USERPROFILE%
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: http://
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: https://
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: /Plugins/
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: &unit=
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: shell32.dll
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: kernel32.dll
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: ProgramData\
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: AVAST Software
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Kaspersky Lab
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Panda Security
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Doctor Web
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: 360TotalSecurity
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Bitdefender
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Norton
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Sophos
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Comodo
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: WinDefender
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: 0123456789
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: ------
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: ?scr=1
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: ComputerName
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: -unicode-
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: VideoID
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: ProductName
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: CurrentBuild
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: " /P "
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: CACLS "
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: :R" /E
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: :F" /E
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: &&Exit
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: rundll32.exe
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: "taskkill /f /im "
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: " && timeout 1 && del
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: && Exit"
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: " && ren
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: Powershell.exe
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: shutdown -s -t 0
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: /w']fC
Source: 39.2.NewB.exe.e50000.0.unpack	String decryptor: vw(hF=
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: pillowbrocccolipe.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: communicationgenerwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: diskretainvigorousiw.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: affordcharmcropwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: dismissalcylinderhostw.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: enthusiasimtitleow.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: worryfillvolcawoi.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: cleartotalfisherwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: affordcharmcropwo.shop
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 29.2.RegAsm.exe.400000.0.unpack	String decryptor: LGNDR1--ketamine

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Code function: 9_2_008A3EB0 CryptUnprotectData,CryptUnprotectData,

9_2_008A3EB0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file300un.exe PID: 7556, type: MEMORYSTR

Source: 1CMweaqlKp.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: freebl3.pdb source: freebl3[1].dll.51.dr
Source:	Binary string: C:\wutimosolix_62\gowaj\tosusinana-la.pdb source: ISetup8.exe, 00000029.00000003.2151074345.0000000003871000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000000.2149099984.0000000000412000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.51.dr
Source:	Binary string: C:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source:	Binary string: file300un.PDBI: source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mscorlib.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source:	Binary string: Croco.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: YC:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: ,C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source:	Binary string: pC:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb4 source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.Core.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: GC:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source:	Binary string: System.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.Core.ni.pdb source: WERA6A7.tmp.dmp.34.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Directory queried: number of queries: 1081

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008A33B0 FindFirstFileA,FindNextFileA,	9_2_008A33B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008C3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	9_2_008C3B20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00811F8C FindFirstFileExW,	9_2_00811F8C

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 193.233.132.56 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor	URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor	URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor	URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor	URLs: http://trad-einmyus.com/index.php
Source: Malware configuration extractor	URLs: http://tradein-myus.com/index.php
Source: Malware configuration extractor	URLs: http://trade-inmyus.com/index.php
Source: Malware configuration extractor	IPs: 185.172.128.19
Source: Malware configuration extractor	URLs: 185.215.113.67:26260

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: EubzUqqfLmBbNiHWxubQa6s2.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: dq1f6mXIBjMzMXMQVeg2fNsL.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: MTc4G09Eq4noHZ0G091uBZf1.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: 5aIar1h6imWjPJZYPL4QSqoe.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: r5kIpAOOvnafOvgnH4OtxIFK.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: s0yoB0FX6GRQugk063ujbi4o.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: EUl5mGPccm3Ux8yn4fNnNA26.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: AN3CiEs9vHs3cPsEPcJxdtOY.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: K7e4fpNGO8JkAsFxVXguIAcd.exe.54.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: qhzSo7WKfB79QVVeIp5fAbeL.exe.54.dr

Yara detected Generic Downloader

Source: Yara match	File source: 50.2.file300un.exe.1f3800d4830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.file300un.exe.1f3800d7298.0.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 193.233.132.139 193.233.132.139
Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Code function: 9_2_008A52A0 recv,

9_2_008A52A0

Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: in?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: in?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7258589510.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7259110109.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccoun equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: //www.youtube.co equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: //www.youtube.com/accountYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: //www.youtube.com/accountYouTube/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Factio- equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_l= equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgH5 equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgP equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgkk equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=010&t equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: andle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: andle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: gin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: gin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_h equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252F equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgYouTube/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en(R equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en^S equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en} equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsig equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0YouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0YouTube/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000002.3079225585.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0raU equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000009.00000003.2912274365.0000000007DC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3205947734.0000000007CEB000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819482005.0000000007CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: ac861238af.exe, 00000010.00000003.2320418390.000000000336C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320275710.0000000003355000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320347999.0000000003358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account* equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountE equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountJ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountYouTube equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountYouTube/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountkO equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtru equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2824193350.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825758993.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5C equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2832279373.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5C! equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2832279373.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5C!! equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ion_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rgkk equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQwjhvMUJDldG6Innua_C1pcDG5oPAHsCGMCPvqUw802RdjX5hf3fPDpZO3Wpa0PCsK_u6Dcjg&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1325622038%3A1714794747441010&theme=mn&ddm=0/v/ equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826081966.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube equals www.youtube.com (Youtube)
Source: d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826081966.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enYouTube/v/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3248220823.0000000007CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000001B.00000003.3248220823.0000000007CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AaSxoQx6ne11cfZ6Gk3eVqT5Cz0DLtBw7SzKkiaryluTa5kmW0zT8SNnoepGMkksmkn9pwxU7Cs4rg3xdf equals www.youtube.com (Youtube)

Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe.lv
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exer.dbl
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe4x
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exehCorel.ba
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exemadka.ex
Source: d361f35322.exe, 00000024.00000003.2759415774.000000000143F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe1
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe;x
Source: d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exea.exe68.0l
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exew.s
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41EDE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: freebl3[1].dll.51.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.googl
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_h
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https
Source: d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826081966.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826875397.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2837144727.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/id
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsig
Source: d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/api
Source: RegAsm.exe, 0000001D.00000002.2274630744.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/apitemb
Source: RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/d
Source: RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop/z
Source: RegAsm.exe, 0000001D.00000002.2226894863.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordcharmcropwo.shop:443/apiNAME=userUSERPROFILE=C:
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41EDE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: jok.exe, 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000140C000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104
Source: d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.1042
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.1045
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104N
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.104XNN
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.104
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.104r
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/5
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000101B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/_
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/i
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001429000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000139F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.104
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.104T
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.104
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.1048
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.104Uz
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exe
Source: NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exev
Source: freebl3[1].dll.51.dr	String found in binary or memory: https://mozilla.org0/
Source: powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3073575028.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT&
Source: MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT3
Source: d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT8
Source: d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTI
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTo5#
Source: d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTxR
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botP
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bote
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_botf
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_botw
Source: d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822644005.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758475716.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819365667.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759415774.000000000143F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botl
Source: MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro4.104
Source: freebl3[1].dll.51.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: d361f35322.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/&
Source: d361f35322.exe, 00000009.00000003.2769151677.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2768805138.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2765865909.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767781607.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3082656269.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206207533.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824193350.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826557777.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840195887.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088844064.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758285623.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839878527.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874104366.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/Data
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/ces?
Source: d361f35322.exe, 00000009.00000003.2769151677.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2768805138.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2765865909.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767781607.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3082656269.0000000007DBA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206207533.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828966339.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824193350.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826557777.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840195887.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088844064.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758285623.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839878527.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874104366.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: d361f35322.exe, 00000024.00000002.3088677492.0000000007C60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2671632274.0000000007914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/ta
Source: d361f35322.exe, 00000009.00000003.2912274365.0000000007DC2000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320418390.000000000336C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320275710.0000000003355000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320347999.0000000003358000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7258589510.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7259110109.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189145681.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3205947734.0000000007CEB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2832748402.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2836881277.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2873758197.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840628725.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2830540798.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account/v/
Source: d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountE
Source: d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2832748402.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2836881277.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2873758197.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840628725.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2830540798.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825253363.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088938529.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824119223.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2829699050.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839577169.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826875397.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825684612.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2837144727.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2838516911.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountJ
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountYouTube
Source: MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountYouTube/v/
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountkO
Source: d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%
Source: file300un.exe, 00000032.00000002.7140120246.000001F380091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comVISITOR_INFO1_LIVE/
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comVISITOR_INFO1_LIVEv10%
Source: d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comVISITOR_PRIVACY_METADATA/(9
Source: u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comVISITOR_PRIVACY_METADATAv10
Source: d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comYSC/)?
Source: MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comYSCv10

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICESYx

memstr_ee7ff430-3

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpC21F.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File created: C:\Users\user\AppData\Local\Temp\TmpC1FF.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000031.00000002.2228939653.00000000034F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000031.00000002.2228816968.0000000001B2B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

.NET source code contains very large array initializations

Source: swiiiii[1].exe.10.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiiii.exe.10.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 297472
Source: swiiii[1].exe.10.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088
Source: swiiii.exe.10.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 153088

Binary is likely a compiled AutoIt script file

Source: ac861238af.exe, 00000010.00000000.1932011901.0000000000762000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_95765f4c-3
Source: ac861238af.exe, 00000010.00000000.1932011901.0000000000762000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_1d9ccc15-0

PE file contains section with special chars

Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: sarra[1].exe.1.dr	Static PE information: section name:
Source: sarra[1].exe.1.dr	Static PE information: section name: .idata
Source: sarra[1].exe.1.dr	Static PE information: section name:
Source: amert[1].exe.1.dr	Static PE information: section name:
Source: amert[1].exe.1.dr	Static PE information: section name: .idata
Source: amert[1].exe.1.dr	Static PE information: section name:
Source: amert.exe.1.dr	Static PE information: section name:
Source: amert.exe.1.dr	Static PE information: section name: .idata
Source: amert.exe.1.dr	Static PE information: section name:
Source: random[1].exe.1.dr	Static PE information: section name:
Source: random[1].exe.1.dr	Static PE information: section name: .idata
Source: random[1].exe.1.dr	Static PE information: section name:
Source: d361f35322.exe.1.dr	Static PE information: section name:
Source: d361f35322.exe.1.dr	Static PE information: section name: .idata
Source: d361f35322.exe.1.dr	Static PE information: section name:
Source: explorha.exe.7.dr	Static PE information: section name:
Source: explorha.exe.7.dr	Static PE information: section name: .idata
Source: explorha.exe.7.dr	Static PE information: section name:
Source: RageMP131.exe.9.dr	Static PE information: section name:
Source: RageMP131.exe.9.dr	Static PE information: section name: .idata
Source: RageMP131.exe.9.dr	Static PE information: section name:
Source: MPGPH131.exe.9.dr	Static PE information: section name:
Source: MPGPH131.exe.9.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.9.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\1CMweaqlKp.exe	File created: C:\Windows\Tasks\explorta.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Windows\Tasks\explorha.job			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008D8080	9_2_008D8080
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0082001D	9_2_0082001D
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008761D0	9_2_008761D0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008BD2B0	9_2_008BD2B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008BC3E0	9_2_008BC3E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008BB7E0	9_2_008BB7E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0085F730	9_2_0085F730
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0091C8D0	9_2_0091C8D0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_007EB8E0	9_2_007EB8E0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008B49B0	9_2_008B49B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00878A80	9_2_00878A80
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00871A60	9_2_00871A60
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0087CBF0	9_2_0087CBF0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00887D20	9_2_00887D20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0087AEC0	9_2_0087AEC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00873ED0	9_2_00873ED0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0086DF60	9_2_0086DF60
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_009240A0	9_2_009240A0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_009120C0	9_2_009120C0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00817190	9_2_00817190
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00862100	9_2_00862100
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00881130	9_2_00881130
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00923160	9_2_00923160
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0091F280	9_2_0091F280
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0082035F	9_2_0082035F
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008D0350	9_2_008D0350
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0080F570	9_2_0080F570
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00989680	9_2_00989680
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008347AD	9_2_008347AD
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0081A918	9_2_0081A918
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0081C950	9_2_0081C950
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00924AE0	9_2_00924AE0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00925A40	9_2_00925A40
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_0082DA74	9_2_0082DA74
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008C4B90	9_2_008C4B90
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00838BA0	9_2_00838BA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00870BA0	9_2_00870BA0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00838E20	9_2_00838E20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00881E40	9_2_00881E40
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008CBFC0	9_2_008CBFC0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008CCFC0	9_2_008CCFC0

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Code function: String function: 007FACE0 appears 86 times

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928

Source: explorta.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: 1CMweaqlKp.exe	Static PE information: Number of sections : 12 > 10

Source: file300un.exe.10.dr	Static PE information: No import functions for PE file found
Source: file300un[1].exe.10.dr	Static PE information: No import functions for PE file found

Source: 1CMweaqlKp.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000031.00000002.2228939653.00000000034F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000031.00000002.2228816968.0000000001B2B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: swiiiii[1].exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiiii.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii[1].exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swiiii.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1CMweaqlKp.exe	Static PE information: Section: ZLIB complexity 0.9998594874100719
Source: 1CMweaqlKp.exe	Static PE information: Section: ZLIB complexity 0.9919149709302325
Source: 1CMweaqlKp.exe	Static PE information: Section: ZLIB complexity 1.00537109375
Source: 1CMweaqlKp.exe	Static PE information: Section: .boot ZLIB complexity 0.9902337473891388
Source: 1CMweaqlKp.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998594874100719
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9919149709302325
Source: explorta.exe.0.dr	Static PE information: Section: ZLIB complexity 1.00537109375
Source: explorta.exe.0.dr	Static PE information: Section: .boot ZLIB complexity 0.9902337473891388
Source: explorta.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: amert[1].exe.1.dr	Static PE information: Section: ZLIB complexity 0.9981777815013405
Source: amert[1].exe.1.dr	Static PE information: Section: avcjhwxy ZLIB complexity 0.9946098513719512
Source: amert.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9981777815013405
Source: amert.exe.1.dr	Static PE information: Section: avcjhwxy ZLIB complexity 0.9946098513719512
Source: explorha.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9981777815013405
Source: explorha.exe.7.dr	Static PE information: Section: avcjhwxy ZLIB complexity 0.9946098513719512
Source: gold[1].exe.10.dr	Static PE information: Section: .Left ZLIB complexity 0.998365875385208
Source: gold.exe.10.dr	Static PE information: Section: .Left ZLIB complexity 0.998365875385208

Source: sarra[1].exe.1.dr

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: file300un[1].exe.10.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file300un.exe.10.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@133/199@0/39

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Code function: 9_2_008BD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,

9_2_008BD2B0

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8944:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2588

Source: C:\Users\user\Desktop\1CMweaqlKp.exe

File created: C:\Users\user\AppData\Local\Temp\5454e6f062

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\1CMweaqlKp.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1CMweaqlKp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: d361f35322.exe, 00000009.00000003.2767781607.0000000007DB1000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2766547058.0000000007DB1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941355973.0000000007CD2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942331492.0000000008153000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2239168944.00000000220D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 1CMweaqlKp.exe	ReversingLabs: Detection: 50%
Source: 1CMweaqlKp.exe	Virustotal: Detection: 44%

Source: amert.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: d361f35322.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: d361f35322.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\1CMweaqlKp.exe

File read: C:\Users\user\Desktop\1CMweaqlKp.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1CMweaqlKp.exe "C:\Users\user\Desktop\1CMweaqlKp.exe"
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe"
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe"
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\1000021002\ac861238af.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\ac861238af.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: wsock32.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: version.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: winmm.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: mpr.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: wininet.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: userenv.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: wldp.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: propsys.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: profapi.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: edputil.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: urlmon.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: iertutil.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: srvcli.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: sspicli.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: wintypes.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: appresolver.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: slc.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: sppc.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: pcacli.dll
Source: C:\Users\user\1000021002\ac861238af.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\1CMweaqlKp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 1CMweaqlKp.exe

Static file information: File size 1793040 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 1CMweaqlKp.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x185000

Source:	Binary string: freebl3.pdb source: freebl3[1].dll.51.dr
Source:	Binary string: C:\wutimosolix_62\gowaj\tosusinana-la.pdb source: ISetup8.exe, 00000029.00000003.2151074345.0000000003871000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000000.2149099984.0000000000412000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.51.dr
Source:	Binary string: C:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source:	Binary string: file300un.PDBI: source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mscorlib.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source:	Binary string: Croco.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: YC:\rute\dazazef.pdb source: toolspub1.exe, 00000031.00000000.2109256617.0000000000412000.00000002.00000001.01000000.0000001D.sdmp, toolspub1.exe, 00000031.00000002.2197395229.0000000000412000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: ,C:\dimohisek.pdb source: ppcQqLgPI8Dyy7YykX33fm5x.exe.54.dr
Source:	Binary string: pC:\Users\user\AppData\Local\Temp\1000075001\file300un.PDB source: file300un.exe, 00000032.00000002.7139604951.000000C2DA0F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb4 source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.Core.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: GC:\somilixucasoba_pi.pdb source: ISetup8.exe, 00000029.00000000.2055258369.0000000000412000.00000002.00000001.01000000.00000019.sdmp, rVg8HtIzXa4xhJHL7Pn8A6d2.exe.54.dr
Source:	Binary string: System.ni.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.pdb source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA6A7.tmp.dmp.34.dr
Source:	Binary string: System.Core.ni.pdb source: WERA6A7.tmp.dmp.34.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Unpacked PE file: 7.2.amert.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Unpacked PE file: 9.2.d361f35322.exe.7e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Unpacked PE file: 11.2.explorha.exe.930000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avcjhwxy:EW;nkwkrymv:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 27.2.MPGPH131.exe.700000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Unpacked PE file: 36.2.d361f35322.exe.7e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 46.2.RageMP131.exe.890000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agovwish:EW;lcjgmmfi:EW;.taggant:EW;

Source: jok[1].exe.10.dr

Static PE information: 0xFC177629 [Thu Jan 10 08:13:29 2104 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: jok.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: cred64[1].dll.10.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: swiiiii[1].exe.10.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: sarra[1].exe.1.dr	Static PE information: real checksum: 0x255044 should be: 0x255765
Source: amert.exe.1.dr	Static PE information: real checksum: 0x1d87f7 should be: 0x1d2e57
Source: clip64.dll.10.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: jok[1].exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x547e4
Source: install.exe.10.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: swiiii.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x32780
Source: install[1].exe.10.dr	Static PE information: real checksum: 0x22d33 should be: 0x44be5e
Source: cred64.dll.10.dr	Static PE information: real checksum: 0x0 should be: 0x147ee8
Source: clip64[1].dll.10.dr	Static PE information: real checksum: 0x0 should be: 0x1f783
Source: NewB.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: MPGPH131.exe.9.dr	Static PE information: real checksum: 0x24c49c should be: 0x254dd7
Source: explorha.exe.7.dr	Static PE information: real checksum: 0x1d87f7 should be: 0x1d2e57
Source: gold.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x9cfd4
Source: swiiii[1].exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x32780
Source: amert[1].exe.1.dr	Static PE information: real checksum: 0x1d87f7 should be: 0x1d2e57
Source: RageMP131.exe.9.dr	Static PE information: real checksum: 0x24c49c should be: 0x254dd7
Source: NewB[1].exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x6bd55
Source: d361f35322.exe.1.dr	Static PE information: real checksum: 0x24c49c should be: 0x254dd7
Source: gold[1].exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x9cfd4
Source: alexxxxxxxx.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: alexxxxxxxx[1].exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x2b7dd5
Source: swiiiii.exe.10.dr	Static PE information: real checksum: 0x562fb should be: 0x5eece
Source: random[1].exe.1.dr	Static PE information: real checksum: 0x24c49c should be: 0x254dd7

Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name:
Source: 1CMweaqlKp.exe	Static PE information: section name: .vm_sec
Source: 1CMweaqlKp.exe	Static PE information: section name: .themida
Source: 1CMweaqlKp.exe	Static PE information: section name: .boot
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name:
Source: explorta.exe.0.dr	Static PE information: section name: .vm_sec
Source: explorta.exe.0.dr	Static PE information: section name: .themida
Source: explorta.exe.0.dr	Static PE information: section name: .boot
Source: sarra[1].exe.1.dr	Static PE information: section name:
Source: sarra[1].exe.1.dr	Static PE information: section name: .idata
Source: sarra[1].exe.1.dr	Static PE information: section name:
Source: sarra[1].exe.1.dr	Static PE information: section name: zhbidvgs
Source: sarra[1].exe.1.dr	Static PE information: section name: swmxyxsi
Source: sarra[1].exe.1.dr	Static PE information: section name: .taggant
Source: amert[1].exe.1.dr	Static PE information: section name:
Source: amert[1].exe.1.dr	Static PE information: section name: .idata
Source: amert[1].exe.1.dr	Static PE information: section name:
Source: amert[1].exe.1.dr	Static PE information: section name: avcjhwxy
Source: amert[1].exe.1.dr	Static PE information: section name: nkwkrymv
Source: amert[1].exe.1.dr	Static PE information: section name: .taggant
Source: amert.exe.1.dr	Static PE information: section name:
Source: amert.exe.1.dr	Static PE information: section name: .idata
Source: amert.exe.1.dr	Static PE information: section name:
Source: amert.exe.1.dr	Static PE information: section name: avcjhwxy
Source: amert.exe.1.dr	Static PE information: section name: nkwkrymv
Source: amert.exe.1.dr	Static PE information: section name: .taggant
Source: random[1].exe.1.dr	Static PE information: section name:
Source: random[1].exe.1.dr	Static PE information: section name: .idata
Source: random[1].exe.1.dr	Static PE information: section name:
Source: random[1].exe.1.dr	Static PE information: section name: agovwish
Source: random[1].exe.1.dr	Static PE information: section name: lcjgmmfi
Source: random[1].exe.1.dr	Static PE information: section name: .taggant
Source: d361f35322.exe.1.dr	Static PE information: section name:
Source: d361f35322.exe.1.dr	Static PE information: section name: .idata
Source: d361f35322.exe.1.dr	Static PE information: section name:
Source: d361f35322.exe.1.dr	Static PE information: section name: agovwish
Source: d361f35322.exe.1.dr	Static PE information: section name: lcjgmmfi
Source: d361f35322.exe.1.dr	Static PE information: section name: .taggant
Source: explorha.exe.7.dr	Static PE information: section name:
Source: explorha.exe.7.dr	Static PE information: section name: .idata
Source: explorha.exe.7.dr	Static PE information: section name:
Source: explorha.exe.7.dr	Static PE information: section name: avcjhwxy
Source: explorha.exe.7.dr	Static PE information: section name: nkwkrymv
Source: explorha.exe.7.dr	Static PE information: section name: .taggant
Source: RageMP131.exe.9.dr	Static PE information: section name:
Source: RageMP131.exe.9.dr	Static PE information: section name: .idata
Source: RageMP131.exe.9.dr	Static PE information: section name:
Source: RageMP131.exe.9.dr	Static PE information: section name: agovwish
Source: RageMP131.exe.9.dr	Static PE information: section name: lcjgmmfi
Source: RageMP131.exe.9.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.9.dr	Static PE information: section name:
Source: MPGPH131.exe.9.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.9.dr	Static PE information: section name:
Source: MPGPH131.exe.9.dr	Static PE information: section name: agovwish
Source: MPGPH131.exe.9.dr	Static PE information: section name: lcjgmmfi
Source: MPGPH131.exe.9.dr	Static PE information: section name: .taggant
Source: gold[1].exe.10.dr	Static PE information: section name: .DAX
Source: gold[1].exe.10.dr	Static PE information: section name: .Left
Source: gold[1].exe.10.dr	Static PE information: section name: .INV
Source: gold.exe.10.dr	Static PE information: section name: .DAX
Source: gold.exe.10.dr	Static PE information: section name: .Left
Source: gold.exe.10.dr	Static PE information: section name: .INV
Source: cred64[1].dll.10.dr	Static PE information: section name: _RDATA
Source: cred64.dll.10.dr	Static PE information: section name: _RDATA
Source: alexxxxxxxx[1].exe.10.dr	Static PE information: section name: .00cfg
Source: alexxxxxxxx.exe.10.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Code function: 9_2_00813F49 push ecx; ret

9_2_00813F5C

Source: 1CMweaqlKp.exe	Static PE information: section name: entropy: 7.9986661792698115
Source: 1CMweaqlKp.exe	Static PE information: section name: .boot entropy: 7.955810157618839
Source: explorta.exe.0.dr	Static PE information: section name: entropy: 7.9986661792698115
Source: explorta.exe.0.dr	Static PE information: section name: .boot entropy: 7.955810157618839
Source: sarra[1].exe.1.dr	Static PE information: section name: entropy: 7.9243513655231705
Source: sarra[1].exe.1.dr	Static PE information: section name: zhbidvgs entropy: 7.912044560062752
Source: amert[1].exe.1.dr	Static PE information: section name: entropy: 7.986768487395881
Source: amert[1].exe.1.dr	Static PE information: section name: avcjhwxy entropy: 7.953340978521756
Source: amert.exe.1.dr	Static PE information: section name: entropy: 7.986768487395881
Source: amert.exe.1.dr	Static PE information: section name: avcjhwxy entropy: 7.953340978521756
Source: random[1].exe.1.dr	Static PE information: section name: entropy: 7.924280236056968
Source: random[1].exe.1.dr	Static PE information: section name: agovwish entropy: 7.911493089854424
Source: d361f35322.exe.1.dr	Static PE information: section name: entropy: 7.924280236056968
Source: d361f35322.exe.1.dr	Static PE information: section name: agovwish entropy: 7.911493089854424
Source: explorha.exe.7.dr	Static PE information: section name: entropy: 7.986768487395881
Source: explorha.exe.7.dr	Static PE information: section name: avcjhwxy entropy: 7.953340978521756
Source: RageMP131.exe.9.dr	Static PE information: section name: entropy: 7.924280236056968
Source: RageMP131.exe.9.dr	Static PE information: section name: agovwish entropy: 7.911493089854424
Source: MPGPH131.exe.9.dr	Static PE information: section name: entropy: 7.924280236056968
Source: MPGPH131.exe.9.dr	Static PE information: section name: agovwish entropy: 7.911493089854424
Source: swiiiii[1].exe.10.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiiii.exe.10.dr	Static PE information: section name: .text entropy: 7.992152217310619
Source: swiiii[1].exe.10.dr	Static PE information: section name: .text entropy: 7.987813915261593
Source: swiiii.exe.10.dr	Static PE information: section name: .text entropy: 7.987813915261593

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\gX4d2ArXDOHTjofk9CfRb7Jz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\5nFKWr1EKUheiDEHo671vxm8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\QbkKvIT5uJj3Cx8h0ECIsmUK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u6po.2\ASUS_WMI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\gold[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ISetup8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\jok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\gPQjkT7jjoMSIv7cXyWMW1C4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\toolspub1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\oqwWhViccQzmDvkS751EZRiG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\laQhqKepZhfkS5rQoYOvKJAy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\g81RdhkO8Pp47pz1l8siHWuN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\pScZMSZH0uu2OkUDvWpN2tuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\dmmb0z6yJ22pC75a4y49Nfob.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\mBoc1pbzy7gOQT20pyEZL3en.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\1NXbTL9dcUCk55eVv5KRJhmL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\oXA3lyE6zGyLyvw1CwVKpLsf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\gmHwlMZnGawtAwStcAU6D1RM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\NN7y6Ml4QHJBCfpeCmt1XQq3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\swiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\0co9idnjzay1KSn3DMfCsBSw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\ULDq5mjQ4b5aNI3V4eIJfMVS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1CMweaqlKp.exe	File created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u6po.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\GIz2DLitsyoTn14REJti2nqN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\evHtDP9yDvs3XYDQg8lqEVoH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\qPQ3lJ1fN9DRgfiXtyMpf1ll.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\11xbcpylNeYY4tZ39QN34xGC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\iFyHzFXRkeOppMlu3FtGrLYy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\QcyIEuk7gD7wTlhElB94jgu9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\tAKreBGDuozTwXSZfhU7cFT3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\3N5jWnvXHqfYUsxTijnW3Uc5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\i8dOWYOLtbNAxDJGOQ8Wt9el.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\v3efLAgS1BVue6uNuzFECLaH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\xF7m0A44x6KodDxbhAtiDsub.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\X53t1QSznpDGsvX2qLbdQFD1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Osh3JGbyB69u4I6NltayynfD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\install[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\swiiiii[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\MtYY7PxoMVCDp1NJbYQga2LV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\jzMGE9Xb2Ny8jtCWlXWAk3ap.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\de4IGlGSbV9c3J4m0qZtBGm8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\aYtr3HT3BUqjK6QB6WYpwCcm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\zWIy5Pdf1kgq9YulaqIKrGGy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\JcuJCrKoIRAAJIb94uRnhVjr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Z0V3bHdPFsglc9f9uLbxOZFN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\leqbtljZtxj2WxVvdmpHiNsI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\ppcQqLgPI8Dyy7YykX33fm5x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\S41vy8IsPU7Iudry37c4uNtg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	File created: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u6po.2\AsIO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	File created: C:\Users\user\AppData\Local\Temp\u6po.2\ATKEX.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\jfesawdr[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\STUD4CnDuvZtXsKBuBkO31id.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\M4OBi0ywNcuUZRFLcfJ70nUH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\iO9tAKw78L31Wsbvnq5kt5m1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\f2NBhcBIObRGHagt6xPQoMa2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\gjVUxsTFUgOAjApkeCU52nGD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\1000021002\ac861238af.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\rVg8HtIzXa4xhJHL7Pn8A6d2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\v6zcDFD3cRDhmr34kNKDn8tX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\Jr1vIs8XqAmt0RT7bHMte8ts.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\gKIISy7hixfPFGDeeM7cQzit.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\SjGlviky3CjPwV1vWXl2gdhJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\D7t23m0X26bEkZqkCQtNwK5Y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\s8YO7ScTlLADC9Vt6wr10aY4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\PHoZl3WswCZ1lCRWCJPBFZtN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\pl49PSFkcWVTQqBe8TA2VhRW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Pictures\7iI5SUAnqRGyB1YdSAO06W1v.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\file300un[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File created: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\gzxs1MlpU5tnMfkC7kzgvR1h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	File created: C:\ProgramData\freebl3.dll			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ac861238af.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d361f35322.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\1CMweaqlKp.exe

File created: C:\Windows\Tasks\explorta.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d361f35322.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d361f35322.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ac861238af.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ac861238af.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\ac861238af.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\ac861238af.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000021002\ac861238af.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 352, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Stalling execution: Execution stalls by calling Sleep

graph_9-69613

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\1CMweaqlKp.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\1CMweaqlKp.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: toolspub1.exe, 00000031.00000002.2228738591.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7E22AF second address: 7E22B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7E22B3 second address: 7E22CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F59D3 second address: 7F59D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F59D9 second address: 7F59E3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F5C99 second address: 7F5CA5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D7471B5DEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F5CA5 second address: 7F5CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jng 00007F0D755569B6h 0x00000013 popad 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F5CC1 second address: 7F5CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F5CC7 second address: 7F5CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F5CCD second address: 7F5CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F600E second address: 7F602E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C9h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F602E second address: 7F604A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F604A second address: 7F6050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F88DE second address: 7F88FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F0D7471B5DEh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F88FD second address: 7F8904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8948 second address: 7F8984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0D7471B5E2h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F0D7471B5D6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8984 second address: 7F8A29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0D755569BCh 0x0000000f jl 00007F0D755569B6h 0x00000015 popad 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D1BDFh], edi 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D2D87h], ecx 0x00000025 or dl, FFFFFFE3h 0x00000028 push 4B0C8EAEh 0x0000002d jp 00007F0D755569CAh 0x00000033 push ebx 0x00000034 jmp 00007F0D755569C2h 0x00000039 pop ebx 0x0000003a xor dword ptr [esp], 4B0C8E2Eh 0x00000041 and edx, dword ptr [ebp+122D39C7h] 0x00000047 push 00000003h 0x00000049 mov edx, 0FCA41BAh 0x0000004e push 00000000h 0x00000050 mov ecx, dword ptr [ebp+122D3A87h] 0x00000056 push 00000003h 0x00000058 call 00007F0D755569C0h 0x0000005d mov dword ptr [ebp+122D1847h], esi 0x00000063 pop edx 0x00000064 mov dword ptr [ebp+122D3105h], eax 0x0000006a call 00007F0D755569B9h 0x0000006f push eax 0x00000070 push edx 0x00000071 jnc 00007F0D755569BCh 0x00000077 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8A29 second address: 7F8ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pop ebx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F0D7471B5DCh 0x0000001b mov eax, dword ptr [eax] 0x0000001d jng 00007F0D7471B5DCh 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edi 0x0000002a pop edi 0x0000002b pop eax 0x0000002c pop ecx 0x0000002d pop eax 0x0000002e call 00007F0D7471B5DDh 0x00000033 jo 00007F0D7471B5DCh 0x00000039 mov dword ptr [ebp+122D3168h], ecx 0x0000003f pop esi 0x00000040 add dword ptr [ebp+122D2F35h], ecx 0x00000046 lea ebx, dword ptr [ebp+1244D822h] 0x0000004c mov edx, 576335DFh 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F0D7471B5E9h 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8B4B second address: 7F8B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8B64 second address: 7F8BC8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D7471B5ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007F0D7471B5ECh 0x00000011 nop 0x00000012 sbb edx, 661256BFh 0x00000018 push 00000000h 0x0000001a sub dword ptr [ebp+122D30A3h], esi 0x00000020 call 00007F0D7471B5D9h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0D7471B5DDh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8BC8 second address: 7F8C04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0D755569BAh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0D755569BCh 0x00000013 pop edx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0D755569C7h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8C04 second address: 7F8C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7471B5E9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8C21 second address: 7F8C30 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8D21 second address: 7F8D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8D25 second address: 7F8D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8D2B second address: 7F8D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8DD5 second address: 7F8DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8DDC second address: 7F8ED5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D7471B5E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F0D7471B5DBh 0x00000010 nop 0x00000011 mov edx, esi 0x00000013 push 00000000h 0x00000015 mov edx, dword ptr [ebp+122D39E7h] 0x0000001b call 00007F0D7471B5D9h 0x00000020 jmp 00007F0D7471B5DDh 0x00000025 push eax 0x00000026 push eax 0x00000027 jmp 00007F0D7471B5DEh 0x0000002c pop eax 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 pushad 0x00000032 jmp 00007F0D7471B5E2h 0x00000037 jns 00007F0D7471B5DCh 0x0000003d popad 0x0000003e mov eax, dword ptr [eax] 0x00000040 jg 00007F0D7471B5F0h 0x00000046 pushad 0x00000047 jmp 00007F0D7471B5E6h 0x0000004c pushad 0x0000004d popad 0x0000004e popad 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 jnl 00007F0D7471B5E0h 0x00000059 pop eax 0x0000005a mov cx, si 0x0000005d push 00000003h 0x0000005f ja 00007F0D7471B5DCh 0x00000065 mov dword ptr [ebp+122D32CFh], ebx 0x0000006b push 00000000h 0x0000006d mov edi, dword ptr [ebp+122D39D7h] 0x00000073 jmp 00007F0D7471B5DAh 0x00000078 push 00000003h 0x0000007a mov ecx, edx 0x0000007c call 00007F0D7471B5D9h 0x00000081 jng 00007F0D7471B5E4h 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a push esi 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8ED5 second address: 7F8EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8EDA second address: 7F8F26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 jmp 00007F0D7471B5E8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F8F26 second address: 7F8F5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b adc cx, 0876h 0x00000010 lea ebx, dword ptr [ebp+1244D836h] 0x00000016 call 00007F0D755569C2h 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 80B79D second address: 80B7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 80B7A3 second address: 80B7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 80B7AB second address: 80B7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F0D7471B5EBh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 81793E second address: 817944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817944 second address: 81794A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 81794A second address: 817967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D755569C4h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817BD8 second address: 817BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817BDC second address: 817C0D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D755569C7h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D755569BEh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817C0D second address: 817C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817C11 second address: 817C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D755569B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817C23 second address: 817C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817C29 second address: 817C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 817EA3 second address: 817EAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8183E0 second address: 8183F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8183F5 second address: 818407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 je 00007F0D7471B5D6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 818407 second address: 81843C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569C9h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8185BD second address: 8185CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F0D7471B5DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 818723 second address: 818769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0D755569C6h 0x0000000b jmp 00007F0D755569C1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F0D755569C6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 818B26 second address: 818B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 818B2A second address: 818B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jnl 00007F0D755569B6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F0D755569C2h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jc 00007F0D755569B6h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 818B5C second address: 818B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 818B60 second address: 818B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0D755569B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F0D755569C3h 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F0D755569C0h 0x0000001b pop ecx 0x0000001c push eax 0x0000001d je 00007F0D755569B6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 81945F second address: 819466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82026E second address: 820273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 820273 second address: 820287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D7471B5DFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8213E1 second address: 821402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d js 00007F0D755569CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0D755569BCh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 821402 second address: 82141E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D7471B5E0h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82141E second address: 821424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 825070 second address: 82507A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D7471B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7EF854 second address: 7EF85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8247BD second address: 8247C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8247C1 second address: 8247CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007F0D755569B6h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8247CF second address: 8247E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a ja 00007F0D7471B5DEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824E7E second address: 824E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824E84 second address: 824EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5DCh 0x00000007 js 00007F0D7471B5D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F0D7471B5D8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007F0D7471B5D6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824EAA second address: 824EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824EAE second address: 824EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824EBD second address: 824EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824EC1 second address: 824ECB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0D7471B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824ECB second address: 824EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D755569C9h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824EEA second address: 824EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824EEF second address: 824F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 824F09 second address: 824F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0D7471B5DDh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827C04 second address: 827C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 js 00007F0D755569D4h 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F0D755569B6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827D01 second address: 827D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827D05 second address: 827D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827D09 second address: 827D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828B11 second address: 828B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828B15 second address: 828B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828B23 second address: 828B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828B27 second address: 828B3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828D3F second address: 828D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828D46 second address: 828D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0D7471B5E3h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828D67 second address: 828D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 828D6D second address: 828D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 829537 second address: 82953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 829EFE second address: 829F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 829D71 second address: 829D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82BAAA second address: 82BAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82A78D second address: 82A793 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82B85A second address: 82B875 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82B875 second address: 82B87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82C491 second address: 82C49B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82C49B second address: 82C4CF instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D755569C2h 0x00000008 jmp 00007F0D755569BCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edi 0x00000011 pushad 0x00000012 jmp 00007F0D755569C9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82C4CF second address: 82C568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0D7471B5D8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 sbb esi, 3B6CAB57h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F0D7471B5D8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 jno 00007F0D7471B5EAh 0x00000049 push 00000000h 0x0000004b je 00007F0D7471B5DCh 0x00000051 mov edi, dword ptr [ebp+122D39ABh] 0x00000057 jng 00007F0D7471B5DCh 0x0000005d and edi, 260D0A92h 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F0D7471B5DDh 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82C568 second address: 82C577 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82CF59 second address: 82CF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82D9E3 second address: 82D9EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82D9EA second address: 82DA08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jmp 00007F0D7471B5E2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82E222 second address: 82E23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569C4h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82E23E second address: 82E248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0D7471B5D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82EDD7 second address: 82EDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82EDDB second address: 82EDFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 ja 00007F0D7471B5F0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D7471B5E2h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 830BF9 second address: 830BFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83134A second address: 83136F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F0D7471B5D6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83136F second address: 831373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8358F1 second address: 8358F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8358F8 second address: 83591A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569C4h 0x00000009 popad 0x0000000a pushad 0x0000000b jbe 00007F0D755569B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 836FB4 second address: 836FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jns 00007F0D7471B5D6h 0x0000000f jne 00007F0D7471B5D6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 838F8F second address: 838F95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 838F95 second address: 838F9F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D7471B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8380BC second address: 8380C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8380C0 second address: 8380C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 839F55 second address: 839F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8391AF second address: 8391B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 7F135A second address: 7F1368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D755569B6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83A159 second address: 83A15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83A15D second address: 83A178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569C3h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83C561 second address: 83C56B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0D7471B5D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83C6EE second address: 83C71B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F0D755569CAh 0x00000012 jmp 00007F0D755569C4h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83E631 second address: 83E649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D7471B5DEh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83E649 second address: 83E64D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83E64D second address: 83E660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D7471B5DBh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83E7CB second address: 83E7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83F6F4 second address: 83F75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d nop 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F0D7471B5D8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push esi 0x00000030 add dword ptr [ebp+124492C8h], esi 0x00000036 pop ebx 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e adc edi, 1E84177Bh 0x00000044 mov eax, dword ptr [ebp+122D0745h] 0x0000004a clc 0x0000004b push FFFFFFFFh 0x0000004d mov bx, 16F6h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0D7471B5DBh 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83F75E second address: 83F764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 842591 second address: 842597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 83D724 second address: 83D728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 842597 second address: 8425F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F0D7471B5D8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F0D7471B5D8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov ebx, 746D7CF6h 0x00000046 push 00000000h 0x00000048 mov edi, dword ptr [ebp+1244E01Ch] 0x0000004e xchg eax, esi 0x0000004f push ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 841812 second address: 841817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 841817 second address: 841821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0D7471B5D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 841821 second address: 841825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8427C7 second address: 8427EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D7471B5E4h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F0D7471B5DCh 0x00000014 jnl 00007F0D7471B5D6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8427EF second address: 8427F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 84386F second address: 843873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 84A4DC second address: 84A4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 84D3AD second address: 84D3C1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D7471B5DAh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 84D6D3 second address: 84D6E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 84D858 second address: 84D85C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 84D85C second address: 84D87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D755569BCh 0x0000000d jmp 00007F0D755569BCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 84D87C second address: 84D880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 810B05 second address: 810B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569BDh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007F0D755569B6h 0x00000015 pop eax 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8569B9 second address: 8569BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8569BF second address: 8569C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D755569B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85764E second address: 85766A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F0D7471B5E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85CFA4 second address: 85CFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0D755569B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D110 second address: 85D12E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D12E second address: 85D132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D256 second address: 85D25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D25C second address: 85D260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D260 second address: 85D26B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D26B second address: 85D271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D271 second address: 85D286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F0D7471B5D6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D286 second address: 85D290 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D755569B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D290 second address: 85D2A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D2A0 second address: 85D2A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D3C7 second address: 85D3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D3CD second address: 85D3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 85D3D7 second address: 85D3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 811628 second address: 81164F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569BFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0D755569C2h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8618AC second address: 8618B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8265AD second address: 8265B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8265B1 second address: 810B27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7471B5DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0D7471B5D8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 xor dx, 0FCDh 0x0000002a call 00007F0D7471B5DDh 0x0000002f sub dword ptr [ebp+122D1BECh], eax 0x00000035 pop edx 0x00000036 call dword ptr [ebp+122D27D7h] 0x0000003c jnl 00007F0D7471B5EBh 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pushad 0x00000046 popad 0x00000047 je 00007F0D7471B5D6h 0x0000004d pop eax 0x0000004e push edi 0x0000004f pushad 0x00000050 popad 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82668A second address: 82668E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 826A6E second address: 826A78 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D7471B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 826A78 second address: 826A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 826A7E second address: 826A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 826B78 second address: 826B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 826F7B second address: 826F80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 826F80 second address: 826F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D755569BCh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827078 second address: 8270D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0D7471B5D6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jg 00007F0D7471B5DCh 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F0D7471B5D8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jmp 00007F0D7471B5E4h 0x00000036 mov edx, dword ptr [ebp+122D3C7Bh] 0x0000003c push eax 0x0000003d push edi 0x0000003e push edi 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82744A second address: 82745C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82777C second address: 82779C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0D7471B5DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D7471B5DAh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82779C second address: 8277A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8277A1 second address: 8277A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82785F second address: 827919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D755569BEh 0x0000000a popad 0x0000000b push eax 0x0000000c jnc 00007F0D755569D8h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0D755569B8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d jmp 00007F0D755569C8h 0x00000032 mov cx, 4B59h 0x00000036 lea eax, dword ptr [ebp+1247B356h] 0x0000003c jmp 00007F0D755569C8h 0x00000041 sub ecx, dword ptr [ebp+122D28AEh] 0x00000047 nop 0x00000048 jmp 00007F0D755569BEh 0x0000004d push eax 0x0000004e jp 00007F0D755569BEh 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827919 second address: 827962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F0D7471B5D8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Ch 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 jmp 00007F0D7471B5DCh 0x00000025 lea eax, dword ptr [ebp+1247B312h] 0x0000002b movsx ecx, ax 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 jno 00007F0D7471B5D6h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827962 second address: 827966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827966 second address: 82796F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82796F second address: 827975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827975 second address: 811628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D3B47h] 0x0000000f mov edx, ebx 0x00000011 call dword ptr [ebp+122D59A4h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jmp 00007F0D7471B5DCh 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 861DD8 second address: 861DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8620AE second address: 8620C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F0D7471B5DEh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8620C6 second address: 8620CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8620CC second address: 8620E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D7471B5E6h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8620E6 second address: 8620EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86B312 second address: 86B338 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0D7471B5E6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F0D7471B5D6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A181 second address: 86A186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A2D3 second address: 86A2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D7471B5E9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A2F0 second address: 86A310 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F0D755569C5h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A310 second address: 86A316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A450 second address: 86A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A458 second address: 86A46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D7471B5D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F0D7471B5D6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A46D second address: 86A47F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D755569B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F0D755569B6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86A47F second address: 86A485 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 86AB30 second address: 86AB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 871264 second address: 8712B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F0D7471B5DFh 0x0000000f jmp 00007F0D7471B5E4h 0x00000014 jmp 00007F0D7471B5E3h 0x00000019 popad 0x0000001a jnp 00007F0D7471B610h 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 874421 second address: 874425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 874425 second address: 87443F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F0D75558556h 0x00000013 ja 00007F0D75558556h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 87443F second address: 874453 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F0D755569D6h 0x00000009 jbe 00007F0D755569D6h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 874453 second address: 874457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 874457 second address: 87445D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 87445D second address: 874469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 873CC7 second address: 873CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E8h 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 87955F second address: 879575 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 js 00007F0D75558556h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879575 second address: 879579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879579 second address: 879581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879581 second address: 87958B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0D755569D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 87958B second address: 879595 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D75558556h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879595 second address: 8795E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0D755569D8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnp 00007F0D755569DEh 0x00000015 pushad 0x00000016 popad 0x00000017 je 00007F0D755569D6h 0x0000001d jc 00007F0D755569DAh 0x00000023 push edx 0x00000024 pop edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 jmp 00007F0D755569E5h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0D755569DCh 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879A18 second address: 879A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879A20 second address: 879A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879A24 second address: 879A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F0D75558556h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879A3A second address: 879A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879A3E second address: 879A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879A42 second address: 879A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879A48 second address: 879A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F0D75558562h 0x00000010 jnl 00007F0D75558556h 0x00000016 jc 00007F0D75558556h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879D2F second address: 879D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569DFh 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007F0D755569E6h 0x00000010 jmp 00007F0D755569E7h 0x00000015 pop edi 0x00000016 jmp 00007F0D755569E7h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879D8D second address: 879D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827285 second address: 827293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 827293 second address: 82731B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F0D75558567h 0x00000010 mov ebx, dword ptr [ebp+1247B351h] 0x00000016 xor dword ptr [ebp+122D28F8h], edi 0x0000001c add eax, ebx 0x0000001e mov dword ptr [ebp+122D295Eh], ebx 0x00000024 sub edx, 57973125h 0x0000002a nop 0x0000002b pushad 0x0000002c push edi 0x0000002d push eax 0x0000002e pop eax 0x0000002f pop edi 0x00000030 push ebx 0x00000031 push edi 0x00000032 pop edi 0x00000033 pop ebx 0x00000034 popad 0x00000035 push eax 0x00000036 jbe 00007F0D7555855Ah 0x0000003c nop 0x0000003d or ecx, 5FFEA9EBh 0x00000043 push 00000004h 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007F0D75558558h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F0D7555855Bh 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82731B second address: 827325 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D755569D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 879F01 second address: 879F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D75558565h 0x00000009 pop edi 0x0000000a push esi 0x0000000b jnp 00007F0D75558556h 0x00000011 jmp 00007F0D75558568h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 87A0AF second address: 87A0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 87D858 second address: 87D85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8810BB second address: 8810C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8811EF second address: 8811FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D75558556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8811FD second address: 881207 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D755569D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8814BF second address: 8814C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 889CE1 second address: 889CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D755569DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F0D755569D6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 889CFE second address: 889D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 889D02 second address: 889D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F0D755569DCh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 889D17 second address: 889D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558565h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 887F61 second address: 887F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8888FA second address: 8888FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8888FE second address: 888902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 888902 second address: 888921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D75558569h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 888BDC second address: 888BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 888E55 second address: 888E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 888E5B second address: 888E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0D755569E7h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 888E79 second address: 888E8B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D7555855Ch 0x00000008 jno 00007F0D75558556h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 888E8B second address: 888E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 888E8F second address: 888E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 889A1D second address: 889A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D755569D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8932C9 second address: 8932D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8932D3 second address: 8932F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F0D755569D8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F0D755569E1h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8932F9 second address: 8932FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89245E second address: 892462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 892753 second address: 89275E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D75558556h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89275E second address: 89277C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89277C second address: 892788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 892788 second address: 89278E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89278E second address: 892796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 892796 second address: 89279B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8928EB second address: 8928F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8928F8 second address: 892917 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D755569E2h 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 892D69 second address: 892D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 892D6F second address: 892D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569E8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 892EB9 second address: 892EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 899D45 second address: 899D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89A2C1 second address: 89A2C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89A43F second address: 89A44F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D755569DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89A44F second address: 89A46F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558569h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89A7A5 second address: 89A7D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F0D755569E5h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89AB77 second address: 89AB7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89AB7F second address: 89AB93 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D755569D6h 0x00000008 je 00007F0D755569D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89AB93 second address: 89AB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89AB97 second address: 89ABB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D755569D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F0D755569DAh 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89ABB1 second address: 89ABB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89B2B4 second address: 89B2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89B2BB second address: 89B2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 ja 00007F0D75558556h 0x0000000c popad 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D7555855Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89B2D9 second address: 89B2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 89987E second address: 899894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0D7555855Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 899894 second address: 8998CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D755569E9h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8998CE second address: 8998D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8998D2 second address: 8998DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8998DA second address: 8998E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8998E2 second address: 8998E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8998E6 second address: 8998F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8998F2 second address: 899906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D755569E0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 899906 second address: 89990A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8A31CF second address: 8A31F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D755569D6h 0x00000008 jmp 00007F0D755569E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F0D755569D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B0344 second address: 8B0352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0D75558556h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B3B05 second address: 8B3B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B3B09 second address: 8B3B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B34B0 second address: 8B34B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B364D second address: 8B3654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B3654 second address: 8B3667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B3667 second address: 8B366B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B366B second address: 8B3674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B5B53 second address: 8B5B59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B5843 second address: 8B5847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8B5847 second address: 8B584D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CCFB1 second address: 8CCFB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CCFB5 second address: 8CCFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0D7555856Ah 0x0000000c jns 00007F0D75558556h 0x00000012 jmp 00007F0D7555855Eh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD119 second address: 8CD11F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD268 second address: 8CD26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD26E second address: 8CD272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD272 second address: 8CD27E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D75558556h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD27E second address: 8CD289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F0D755569D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD64C second address: 8CD651 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD651 second address: 8CD657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD657 second address: 8CD682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0D7555855Ah 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558565h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD682 second address: 8CD68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D755569D6h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8CD95E second address: 8CD962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8D13AA second address: 8D13B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E4086 second address: 8E40C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0D75558556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jl 00007F0D75558556h 0x00000016 jp 00007F0D75558556h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f pushad 0x00000020 jc 00007F0D75558556h 0x00000026 push edx 0x00000027 pop edx 0x00000028 jmp 00007F0D75558561h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E40C0 second address: 8E40DD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D755569E8h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E3E76 second address: 8E3E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0D75558569h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E3E9A second address: 8E3E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E3E9E second address: 8E3EC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0D75558569h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E3EC7 second address: 8E3ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E3ECB second address: 8E3ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8E1412 second address: 8E1421 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0D755569D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F1350 second address: 8F1354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F1354 second address: 8F135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F135A second address: 8F137D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnp 00007F0D75558556h 0x00000011 js 00007F0D75558556h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F137D second address: 8F1387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F0EAC second address: 8F0EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558567h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F0EC8 second address: 8F0ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F0ECE second address: 8F0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007F0D75558558h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007F0D7555856Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F0F00 second address: 8F0F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 8F1084 second address: 8F108C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 90B9E5 second address: 90BA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F0D755569EFh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 90BA0E second address: 90BA18 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D7555855Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 90BB68 second address: 90BB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 90BB6E second address: 90BB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 90BE47 second address: 90BE4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 90C28F second address: 90C2E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558564h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0D75558566h 0x0000000e jbe 00007F0D7555855Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0D75558569h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 90C494 second address: 90C498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 910C76 second address: 910C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D75558563h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 910F96 second address: 91102B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F0D755569E2h 0x00000012 push dword ptr [ebp+122D29ACh] 0x00000018 xor dword ptr [ebp+122D29A6h], edx 0x0000001e call 00007F0D755569D9h 0x00000023 jnc 00007F0D755569E5h 0x00000029 push eax 0x0000002a jng 00007F0D755569E9h 0x00000030 jmp 00007F0D755569E3h 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 jnc 00007F0D755569E2h 0x0000003f mov eax, dword ptr [eax] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push edx 0x00000045 pop edx 0x00000046 push eax 0x00000047 pop eax 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 91102B second address: 911040 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F0D75558556h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 913E43 second address: 913E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jng 00007F0D755569D6h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 913E53 second address: 913E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D7555855Ch 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007F0D75558556h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 913E73 second address: 913E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 9139BD second address: 9139C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 9139C8 second address: 9139CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD0021 second address: 4FD0026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD0026 second address: 4FD002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD002C second address: 4FD0030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD0030 second address: 4FD0054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx ebx, cx 0x00000010 mov ch, 59h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD0054 second address: 4FD0059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD0059 second address: 4FD0089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569E5h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0DA1 second address: 4FB0DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D75558561h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0DB6 second address: 4FB0DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D755569DDh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0DDD second address: 4FB0E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D75558567h 0x00000009 sub si, 7DAEh 0x0000000e jmp 00007F0D75558569h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push esi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edx 0x0000001d call 00007F0D75558564h 0x00000022 pushfd 0x00000023 jmp 00007F0D75558562h 0x00000028 and al, FFFFFF88h 0x0000002b jmp 00007F0D7555855Bh 0x00000030 popfd 0x00000031 pop ecx 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0D75558562h 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0E6D second address: 4FB0E9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DCh 0x00000009 xor eax, 06CD4718h 0x0000000f jmp 00007F0D755569DBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0E9A second address: 4FB0E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0E9E second address: 4FB0EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0EA4 second address: 4FB0EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 500000E second address: 50000E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569E1h 0x00000009 add ecx, 57196D96h 0x0000000f jmp 00007F0D755569E1h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0D755569DAh 0x00000022 add eax, 2A93D5B8h 0x00000028 jmp 00007F0D755569DBh 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007F0D755569E8h 0x00000034 and si, 9018h 0x00000039 jmp 00007F0D755569DBh 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007F0D755569E9h 0x00000046 xchg eax, ebp 0x00000047 pushad 0x00000048 movzx ecx, di 0x0000004b pushfd 0x0000004c jmp 00007F0D755569E9h 0x00000051 sbb cx, 9316h 0x00000056 jmp 00007F0D755569E1h 0x0000005b popfd 0x0000005c popad 0x0000005d mov ebp, esp 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50000E3 second address: 50000E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50000E7 second address: 50000EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50000EB second address: 50000F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F9014F second address: 4F90154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90154 second address: 4F901BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0D75558566h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 75369F14h 0x00000016 pushfd 0x00000017 jmp 00007F0D7555855Dh 0x0000001c jmp 00007F0D7555855Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F0D75558560h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F901BD second address: 4F901C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F901C1 second address: 4F901C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0B78 second address: 4FB0BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ch, dl 0x0000000d mov edx, esi 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F0D755569E2h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F0D755569DDh 0x00000021 xor cx, 9536h 0x00000026 jmp 00007F0D755569E1h 0x0000002b popfd 0x0000002c mov cx, 9127h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB07A9 second address: 4FB07AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB07AD second address: 4FB07F5 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 4Ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F0D755569DFh 0x0000000b mov si, AD5Fh 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0D755569E0h 0x00000019 adc ecx, 0DF9DDC8h 0x0000001f jmp 00007F0D755569DBh 0x00000024 popfd 0x00000025 pushad 0x00000026 mov ecx, 3E933555h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB07F5 second address: 4FB080B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov cl, 37h 0x0000000a movsx edi, cx 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB080B second address: 4FB080F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB080F second address: 4FB0813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0813 second address: 4FB0819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB06F7 second address: 4FB0757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0D75558563h 0x00000009 mov edi, eax 0x0000000b pop ecx 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov esi, edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 movsx ebx, cx 0x0000001c pushad 0x0000001d mov ecx, 1FA6E7A9h 0x00000022 pushfd 0x00000023 jmp 00007F0D75558566h 0x00000028 xor ax, BF78h 0x0000002d jmp 00007F0D7555855Bh 0x00000032 popfd 0x00000033 popad 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0757 second address: 4FB075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0503 second address: 4FB0509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0509 second address: 4FB050D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB050D second address: 4FB053E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558563h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558565h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FC01F1 second address: 4FC01F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FC01F7 second address: 4FC01FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FC01FD second address: 4FC025F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0D755569E0h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0D755569E1h 0x00000019 and eax, 63D39056h 0x0000001f jmp 00007F0D755569E1h 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 mov ecx, 6AB4CB1Dh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0F14 second address: 4FF0F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F0D75558563h 0x00000011 pop eax 0x00000012 jmp 00007F0D75558569h 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F0D75558561h 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0F73 second address: 4FF0F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0F77 second address: 4FF0F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0F7B second address: 4FF0F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0F81 second address: 4FF0F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0F87 second address: 4FF0F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD0302 second address: 4FD0357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 call 00007F0D7555855Bh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 mov ax, 2611h 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c pushad 0x0000001d mov ch, 22h 0x0000001f mov dx, C180h 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 jmp 00007F0D7555855Fh 0x0000002b mov eax, dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0D75558565h 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FD0357 second address: 4FD03CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DAh 0x00000009 sub ax, 0228h 0x0000000e jmp 00007F0D755569DBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and dword ptr [eax], 00000000h 0x0000001a jmp 00007F0D755569E6h 0x0000001f and dword ptr [eax+04h], 00000000h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0D755569DAh 0x0000002a or ah, FFFFFFB8h 0x0000002d jmp 00007F0D755569DBh 0x00000032 popfd 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F0D755569E5h 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0626 second address: 4FB062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB062A second address: 4FB0630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0630 second address: 4FB0636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0636 second address: 4FB0652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D755569DFh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0652 second address: 4FB0656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0656 second address: 4FB065C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB065C second address: 4FB066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0768 second address: 4FF076E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF076E second address: 4FF07A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D75558564h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF07A2 second address: 4FF07A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF07A7 second address: 4FF083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, E8C2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0D7555855Fh 0x00000013 and eax, 2F0F17BEh 0x00000019 jmp 00007F0D75558569h 0x0000001e popfd 0x0000001f mov ah, 21h 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F0D75558569h 0x0000002b add cx, B4A6h 0x00000030 jmp 00007F0D75558561h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 pushfd 0x00000039 jmp 00007F0D7555855Eh 0x0000003e sub eax, 6EEEEA48h 0x00000044 jmp 00007F0D7555855Bh 0x00000049 popfd 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF083E second address: 4FF08AE instructions: 0x00000000 rdtsc 0x00000002 call 00007F0D755569E8h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F0D755569DEh 0x00000011 mov dword ptr [esp], ecx 0x00000014 jmp 00007F0D755569E0h 0x00000019 mov eax, dword ptr [76FB65FCh] 0x0000001e jmp 00007F0D755569E0h 0x00000023 test eax, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0D755569E7h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF08AE second address: 4FF08FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0253C60Ah 0x00000008 push edi 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007F0DE749B601h 0x00000013 pushad 0x00000014 mov ecx, edx 0x00000016 push ebx 0x00000017 movzx esi, di 0x0000001a pop edx 0x0000001b popad 0x0000001c mov ecx, eax 0x0000001e jmp 00007F0D7555855Ah 0x00000023 xor eax, dword ptr [ebp+08h] 0x00000026 jmp 00007F0D75558561h 0x0000002b and ecx, 1Fh 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0D7555855Dh 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF08FC second address: 4FF0923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, EBh 0x00000005 jmp 00007F0D755569E8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ror eax, cl 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0923 second address: 4FF093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0D75558563h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF093C second address: 4FF0942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FF0942 second address: 4FF0946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA001D second address: 4FA00AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F0D755569E8h 0x0000000b and ah, 00000048h 0x0000000e jmp 00007F0D755569DBh 0x00000013 popfd 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 push edx 0x00000018 mov ax, A851h 0x0000001c pop eax 0x0000001d mov si, bx 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 call 00007F0D755569DFh 0x00000028 pop edx 0x00000029 pushfd 0x0000002a jmp 00007F0D755569E4h 0x0000002f adc esi, 4D1E1308h 0x00000035 jmp 00007F0D755569DBh 0x0000003a popfd 0x0000003b popad 0x0000003c mov ebp, esp 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0D755569E5h 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA00AA second address: 4FA00CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d mov edi, eax 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA00CF second address: 4FA00D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA00D3 second address: 4FA00EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558563h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA00EA second address: 4FA015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0D755569E7h 0x00000011 add cx, 4C1Eh 0x00000016 jmp 00007F0D755569E9h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ecx 0x0000001e jmp 00007F0D755569DDh 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0D755569DDh 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA015F second address: 4FA016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA016F second address: 4FA01CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pushfd 0x0000000f jmp 00007F0D755569E2h 0x00000014 xor ax, 96D8h 0x00000019 jmp 00007F0D755569DBh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 movsx edx, ax 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F0D755569E0h 0x0000002a mov ebx, dword ptr [ebp+10h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0D755569DAh 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA01CE second address: 4FA01D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA01D4 second address: 4FA01E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA01E5 second address: 4FA0237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov esi, 064700E3h 0x00000012 mov di, ax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F0D75558565h 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e push edi 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 popad 0x00000023 mov esi, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F0D7555855Eh 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0237 second address: 4FA0259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ebx, 3C2B8BF6h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bx, B1FCh 0x00000019 mov bl, F1h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0259 second address: 4FA0291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 60961600h 0x00000008 pushfd 0x00000009 jmp 00007F0D75558569h 0x0000000e jmp 00007F0D7555855Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0291 second address: 4FA0295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0295 second address: 4FA02B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA02B0 second address: 4FA030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569DFh 0x00000009 xor cl, FFFFFFEEh 0x0000000c jmp 00007F0D755569E9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0D755569E0h 0x00000018 adc eax, 35775B68h 0x0000001e jmp 00007F0D755569DBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 test esi, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA030E second address: 4FA0312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0312 second address: 4FA0318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0318 second address: 4FA035F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0DE74E6845h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F0D7555855Eh 0x00000016 adc si, 18F8h 0x0000001b jmp 00007F0D7555855Bh 0x00000020 popfd 0x00000021 mov si, 8E2Fh 0x00000025 popad 0x00000026 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA035F second address: 4FA0365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0365 second address: 4FA03E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4ED4F03Bh 0x00000008 pushfd 0x00000009 jmp 00007F0D75558560h 0x0000000e sbb eax, 61A16288h 0x00000014 jmp 00007F0D7555855Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d je 00007F0DE74E67EEh 0x00000023 pushad 0x00000024 mov ebx, ecx 0x00000026 mov ecx, 4F362AF7h 0x0000002b popad 0x0000002c mov edx, dword ptr [esi+44h] 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F0D7555855Fh 0x00000038 sbb cx, 077Eh 0x0000003d jmp 00007F0D75558569h 0x00000042 popfd 0x00000043 jmp 00007F0D75558560h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA03E8 second address: 4FA0414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0D755569E1h 0x00000009 sbb ch, 00000066h 0x0000000c jmp 00007F0D755569E1h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0414 second address: 4FA0433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D75558563h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0433 second address: 4FA0465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0D755569DDh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0465 second address: 4FA046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA046B second address: 4FA04BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0DE74E4BEBh 0x0000000e jmp 00007F0D755569DFh 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b popad 0x0000001c jne 00007F0DE74E4BE6h 0x00000022 jmp 00007F0D755569DAh 0x00000027 test bl, 00000007h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0D755569E7h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F908C1 second address: 4F908C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F908C7 second address: 4F908F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d movsx ebx, ax 0x00000010 pop ecx 0x00000011 mov dl, D2h 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F908F3 second address: 4F908F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F908F7 second address: 4F9090A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F9090A second address: 4F9093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007F0D75558560h 0x0000000c add esi, 32756E58h 0x00000012 jmp 00007F0D7555855Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F9093D second address: 4F90941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90941 second address: 4F9095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558567h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F9095C second address: 4F909DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 61598CDAh 0x00000008 pushfd 0x00000009 jmp 00007F0D755569DBh 0x0000000e adc cl, 0000007Eh 0x00000011 jmp 00007F0D755569E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F0D755569E1h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0D755569E3h 0x0000002a sbb ch, 0000003Eh 0x0000002d jmp 00007F0D755569E9h 0x00000032 popfd 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F909DA second address: 4F90A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov edi, 5AD05D4Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 call 00007F0D7555855Eh 0x00000015 mov bx, ax 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F0D75558567h 0x0000001f adc ch, FFFFFFAEh 0x00000022 jmp 00007F0D75558569h 0x00000027 popfd 0x00000028 popad 0x00000029 mov dword ptr [esp], esi 0x0000002c jmp 00007F0D7555855Eh 0x00000031 mov esi, dword ptr [ebp+08h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90A4C second address: 4F90A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90A69 second address: 4F90AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D75558567h 0x00000008 call 00007F0D75558568h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebx, 00000000h 0x00000016 jmp 00007F0D7555855Eh 0x0000001b test esi, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90AB9 second address: 4F90AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 0E499ADEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90AC3 second address: 4F90AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558564h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0DE74EDE09h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90AE7 second address: 4F90B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ax, B5A1h 0x00000016 pushfd 0x00000017 jmp 00007F0D755569DEh 0x0000001c xor ah, 00000038h 0x0000001f jmp 00007F0D755569DBh 0x00000024 popfd 0x00000025 popad 0x00000026 mov di, cx 0x00000029 popad 0x0000002a mov ecx, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90B31 second address: 4F90B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0D7555855Dh 0x0000000a sbb ecx, 4C556BD6h 0x00000010 jmp 00007F0D75558561h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90B5C second address: 4F90B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90B6C second address: 4F90BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D7555855Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0DE74EDD7Ch 0x00000011 jmp 00007F0D75558566h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d pushad 0x0000001e call 00007F0D7555855Eh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90BB1 second address: 4F90C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 jne 00007F0DE74EC1D5h 0x0000000c pushad 0x0000000d jmp 00007F0D755569E8h 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 jmp 00007F0D755569DDh 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F0D755569DCh 0x00000026 sbb cx, 3848h 0x0000002b jmp 00007F0D755569DBh 0x00000030 popfd 0x00000031 mov eax, 581553BFh 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90C17 second address: 4F90C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90C1B second address: 4F90C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90C1F second address: 4F90C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90C25 second address: 4F90CBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F0D755569DBh 0x0000000b or eax, 7CD0CB3Eh 0x00000011 jmp 00007F0D755569E9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0D755569DCh 0x00000022 add si, 2838h 0x00000027 jmp 00007F0D755569DBh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F0D755569E8h 0x00000033 sbb cl, FFFFFF98h 0x00000036 jmp 00007F0D755569DBh 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0D755569E5h 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90CBA second address: 4F90CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90CCA second address: 4F90D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0D755569E3h 0x00000012 or esi, 3F69D56Eh 0x00000018 jmp 00007F0D755569E9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0D755569E0h 0x00000024 sbb ax, 78E8h 0x00000029 jmp 00007F0D755569DBh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90D2D second address: 4F90D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4F90D33 second address: 4F90D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0A2B second address: 4FA0A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F0D75558567h 0x00000010 mov cx, 175Fh 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F0D75558562h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0A81 second address: 4FA0A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FA0A85 second address: 4FA0A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 502069D second address: 50206A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50206A3 second address: 50206A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50206A7 second address: 50206AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82A9F9 second address: 82A9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 82ADC9 second address: 82ADCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010675 second address: 501067B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 501067B second address: 501067F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 501067F second address: 5010695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D7555855Bh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010695 second address: 501069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 501069B second address: 501069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 501069F second address: 50106A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50106A3 second address: 50106B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov al, 39h 0x0000000c mov bx, BDDCh 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50106B9 second address: 50106D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dh, 85h 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0D755569E1h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0278 second address: 4FB0282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 0413528Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0282 second address: 4FB0291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569DBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB0291 second address: 4FB02BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D75558569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D7555855Ch 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB02BF second address: 4FB02C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB02C5 second address: 4FB02C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 4FB02C9 second address: 4FB02E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D755569E4h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50109EE second address: 50109F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50109F2 second address: 50109F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 50109F8 second address: 5010A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D7555855Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010A07 second address: 5010A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0D755569DDh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010A36 second address: 5010A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010A3C second address: 5010AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F0D755569E6h 0x00000012 push dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov si, di 0x0000001b pushfd 0x0000001c jmp 00007F0D755569E9h 0x00000021 xor ah, FFFFFFF6h 0x00000024 jmp 00007F0D755569E1h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010AA6 second address: 5010ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov di, 667Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop edx 0x00000014 mov di, ax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010ABE second address: 5010AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010AC4 second address: 5010AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010AC8 second address: 5010ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push DC8A490Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010ADB second address: 5010ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010ADF second address: 5010AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010B60 second address: 5010B66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010B66 second address: 5010B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010B6C second address: 5010B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010B70 second address: 5010B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D755569E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b movzx eax, al 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D755569DDh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	RDTSC instruction interceptor: First address: 5010B99 second address: 5010BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push edx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov bh, 07h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: 978065 second address: 97807B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D755569E2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF82CE second address: AF82D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF72CC second address: AF72F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0D755569DEh 0x0000000b jmp 00007F0D755569E2h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF72F7 second address: AF72FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF72FB second address: AF730B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F0D755569D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF730B second address: AF7311 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF7457 second address: AF7481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 popad 0x00000008 jnp 00007F0D755569FCh 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F0D755569E4h 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF7481 second address: AF7485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF78AC second address: AF78B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF7B2A second address: AF7B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnc 00007F0D75558556h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	RDTSC instruction interceptor: First address: AF7B3F second address: AF7B48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 67ED86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 821255 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 81FCCE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 67C582 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 826705 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Special instruction interceptor: First address: 8AA845 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 99ED86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: B41255 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: B3FCCE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Special instruction interceptor: First address: 975256 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: 99C582 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: B46705 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Special instruction interceptor: First address: B9599A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Special instruction interceptor: First address: BCA845 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 895256 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: AB599A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: A25256 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: C4599A instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: 4C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 1180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: 11A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 1F3F4990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: 1F3F62B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 7200000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 8200000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 8390000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 9390000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 97F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: B070000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: C470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 97B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: D470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: E470000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: EAA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: FAA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 8300000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 9500000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 7_2_05010B4F rdtsc

7_2_05010B4F

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 592613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 592174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 591863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 591362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 588551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 587988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 587538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 587006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 586598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 584013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 583347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 582588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 579810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 579036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 578371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 574082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 573153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 572475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 571559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 570854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 570174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 569384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 568678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 291318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Window / User API: threadDelayed 1173	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Window / User API: threadDelayed 1141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Window / User API: threadDelayed 1144	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Window / User API: threadDelayed 1326	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Window / User API: threadDelayed 944
Source: C:\Users\user\1000021002\ac861238af.exe	Window / User API: threadDelayed 662
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 2567
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 2264
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 2236
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 2236
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4717
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4830
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9256
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Window / User API: threadDelayed 830
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Window / User API: threadDelayed 2276
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Window / User API: threadDelayed 2299
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Window / User API: threadDelayed 2268
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Window / User API: threadDelayed 2284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 356

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_9-69633

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\X53t1QSznpDGsvX2qLbdQFD1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Osh3JGbyB69u4I6NltayynfD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\gX4d2ArXDOHTjofk9CfRb7Jz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\5nFKWr1EKUheiDEHo671vxm8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QbkKvIT5uJj3Cx8h0ECIsmUK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u6po.2\ASUS_WMI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\install[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\MtYY7PxoMVCDp1NJbYQga2LV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\jzMGE9Xb2Ny8jtCWlXWAk3ap.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\de4IGlGSbV9c3J4m0qZtBGm8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aYtr3HT3BUqjK6QB6WYpwCcm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zWIy5Pdf1kgq9YulaqIKrGGy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JcuJCrKoIRAAJIb94uRnhVjr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gPQjkT7jjoMSIv7cXyWMW1C4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Z0V3bHdPFsglc9f9uLbxOZFN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\leqbtljZtxj2WxVvdmpHiNsI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ppcQqLgPI8Dyy7YykX33fm5x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\S41vy8IsPU7Iudry37c4uNtg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000081001\install.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u6po.2\AsIO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oqwWhViccQzmDvkS751EZRiG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u6po.2\ATKEX.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\laQhqKepZhfkS5rQoYOvKJAy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\g81RdhkO8Pp47pz1l8siHWuN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pScZMSZH0uu2OkUDvWpN2tuz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dmmb0z6yJ22pC75a4y49Nfob.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\mBoc1pbzy7gOQT20pyEZL3en.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\STUD4CnDuvZtXsKBuBkO31id.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\jfesawdr[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1NXbTL9dcUCk55eVv5KRJhmL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\oXA3lyE6zGyLyvw1CwVKpLsf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\iO9tAKw78L31Wsbvnq5kt5m1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\M4OBi0ywNcuUZRFLcfJ70nUH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\gmHwlMZnGawtAwStcAU6D1RM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NN7y6Ml4QHJBCfpeCmt1XQq3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\f2NBhcBIObRGHagt6xPQoMa2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\gjVUxsTFUgOAjApkeCU52nGD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\rVg8HtIzXa4xhJHL7Pn8A6d2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\0co9idnjzay1KSn3DMfCsBSw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ULDq5mjQ4b5aNI3V4eIJfMVS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v6zcDFD3cRDhmr34kNKDn8tX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GIz2DLitsyoTn14REJti2nqN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\evHtDP9yDvs3XYDQg8lqEVoH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Jr1vIs8XqAmt0RT7bHMte8ts.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qPQ3lJ1fN9DRgfiXtyMpf1ll.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gKIISy7hixfPFGDeeM7cQzit.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\SjGlviky3CjPwV1vWXl2gdhJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\D7t23m0X26bEkZqkCQtNwK5Y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\s8YO7ScTlLADC9Vt6wr10aY4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\11xbcpylNeYY4tZ39QN34xGC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\iFyHzFXRkeOppMlu3FtGrLYy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\QcyIEuk7gD7wTlhElB94jgu9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tAKreBGDuozTwXSZfhU7cFT3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\PHoZl3WswCZ1lCRWCJPBFZtN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\pl49PSFkcWVTQqBe8TA2VhRW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3N5jWnvXHqfYUsxTijnW3Uc5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\alexxxxxxxx[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7iI5SUAnqRGyB1YdSAO06W1v.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gzxs1MlpU5tnMfkC7kzgvR1h.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\i8dOWYOLtbNAxDJGOQ8Wt9el.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\v3efLAgS1BVue6uNuzFECLaH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\xF7m0A44x6KodDxbhAtiDsub.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6792	Thread sleep count: 1173 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6792	Thread sleep time: -35190000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6872	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 1072	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 1072	Thread sleep time: -104052s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 3804	Thread sleep count: 1141 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 3804	Thread sleep time: -2283141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 5804	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2828	Thread sleep count: 1144 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2828	Thread sleep time: -2289144s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 5804	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2756	Thread sleep count: 1326 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 2756	Thread sleep time: -2653326s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7508	Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7508	Thread sleep time: -152076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5600	Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5600	Thread sleep time: -98049s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5776	Thread sleep count: 944 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5776	Thread sleep time: -28320000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8068	Thread sleep count: 120 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8068	Thread sleep time: -240120s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8128	Thread sleep count: 111 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8128	Thread sleep time: -222111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7916	Thread sleep count: 111 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7916	Thread sleep time: -222111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5012	Thread sleep count: 108 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5012	Thread sleep time: -216108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5100	Thread sleep count: 100 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5100	Thread sleep time: -200100s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8072	Thread sleep count: 112 > 30
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 8072	Thread sleep time: -224112s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8056	Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8056	Thread sleep time: -33000s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8416	Thread sleep count: 37 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8416	Thread sleep time: -74037s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8420	Thread sleep count: 40 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8420	Thread sleep time: -80040s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8436	Thread sleep count: 2567 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8436	Thread sleep time: -5136567s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8424	Thread sleep count: 2264 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8424	Thread sleep time: -4530264s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5808	Thread sleep count: 163 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5808	Thread sleep count: 119 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8440	Thread sleep count: 36 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8440	Thread sleep time: -72036s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8444	Thread sleep count: 35 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8444	Thread sleep time: -70035s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8432	Thread sleep count: 2236 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8432	Thread sleep time: -4474236s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8428	Thread sleep count: 2236 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8428	Thread sleep time: -4474236s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8544	Thread sleep count: 47 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8544	Thread sleep time: -94047s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8548	Thread sleep count: 56 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8548	Thread sleep time: -112056s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8564	Thread sleep count: 4717 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8564	Thread sleep time: -9438717s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8568	Thread sleep count: 53 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8568	Thread sleep time: -106053s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5752	Thread sleep count: 39 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8556	Thread sleep time: -56028s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8560	Thread sleep count: 4830 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8560	Thread sleep time: -9664830s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2740	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8516	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 3896	Thread sleep count: 830 > 30
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 3896	Thread sleep time: -24900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe TID: 8268	Thread sleep time: -720000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8344	Thread sleep count: 75 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8344	Thread sleep time: -150075s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8348	Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8348	Thread sleep time: -138069s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8332	Thread sleep count: 2276 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8332	Thread sleep time: -4554276s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8204	Thread sleep count: 210 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8324	Thread sleep count: 2299 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8324	Thread sleep time: -4600299s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8320	Thread sleep count: 2268 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8320	Thread sleep time: -4538268s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8328	Thread sleep count: 2284 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8328	Thread sleep time: -4570284s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8336	Thread sleep count: 74 > 30
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe TID: 8336	Thread sleep time: -148074s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe TID: 7472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe TID: 8996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9036	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9040	Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9028	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8968	Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9048	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9044	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8968	Thread sleep count: 134 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9032	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9052	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9056	Thread sleep time: -48024s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -599675s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -597269s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -596933s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8744	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -596417s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -596128s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -595880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -595737s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -595611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -595269s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -592613s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -592174s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -591863s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -591362s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -588551s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -587988s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -587538s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -587006s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -586598s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -584013s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -583347s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -582588s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -579810s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -579036s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -578371s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -574082s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -573153s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -572475s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -571559s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -570854s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -570174s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -569384s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -568678s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -291318s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1CMweaqlKp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008A33B0 FindFirstFileA,FindNextFileA,	9_2_008A33B0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008C3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	9_2_008C3B20
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00811F8C FindFirstFileExW,	9_2_00811F8C

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

9_2_008BD2B0

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 592613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 592174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 591863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 591362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 588551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 587988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 587538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 587006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 586598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 584013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 583347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 582588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 579810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 579036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 578371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 574082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 573153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 572475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 571559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 570854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 570174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 569384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 568678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 291318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: d361f35322.exe, 00000024.00000003.2762447424.0000000001447000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JwZo/8MwiwHqIvXEAOVpRY7WnVBhrODe/dgRQYX3uczos12TJGMgUcbRf8jrvikd/VczY83oKOZAMzqKgTejI6EDzeg4bDERNuftnqULxoXXPfG6v9krfDbdf0XoQLjCXaLpea2NXecnZXJn9gK/7u4bACHwMWEsF/+YMF5I4GPCRFLE5FKoUgv0RsC+xv1D14mzjXDWhOP4HkVDCCuw0TOg7ZoSe+IcDxF44hzPxp84JxATeOKcTI44gBz6tsBxz8kV3Mr9ySGQd6AQBIufA8mBljGr2c5LvboJrUlkjspoX0E2zmf8Wi7uCKu66bwVcqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001466000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Dk&Ven_VMware&P
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MPGPH131.exe, 0000001B.00000003.3206691270.0000000008155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: d361f35322.exe, 00000009.00000003.2770271909.0000000007DE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Jyvdtmr1hw59RWhOyj3UwXomWVCjPU7iAAL3c3FM/H4uVkTgfi6JDDGxDHp+kienAUWJPz/5wh5QcXDIQ1X87mrROIM4IUVCE3UDPzNoQLyeuBsPKfj/TYFb7dkFGQ81dvc+p2qwlquNa2jOGVakMyBrCzkDewYOfdUIh11p6F0oHLCv0NsUS8ZY0jRw/DbooNsRTP2BK6h19WUpMOHvFoPCoDZ8IHMFpXh5CkwG9JydFEPceTHosUyRBi3zBBD/g3Tf32Gl12xC0+pPlLOaaUEZlZ24Pk/SaIIhkdqTYwT6QCTg430gkggK9IFIKEkcRJI7aibSMB2273edRTAMtKguoOZT16EdFeM2cGv/kop+mkMbFyvPrrvz2eFwokISoqKb6FZwS5/IE3CDEHCXZrZh8FjkGUVw3QLPKIJJ+TOKELjAM4pwPDEGj5qybAdY4Rzc/yYNjtjMq2jfPW5A2RMIY9QTUfNYNAem506IjgnR9Nz50Cmv7uO43VloogiHSRaaSCguC00clhiJFRwt+xPvfnKv8JZ0f+dNwvWzS2+SeuLRnowD0yCtF/0zjxjPGOgUEUbMO0WEQgY6RURhirGY7u1EngXnp91Tsk92fomEE6UwZzVFRyo54VfJ9TyRJwZo/8MwiwHqIvXEAOVpRY7WnVBhrODe/dgRQYX3uczos12TJGMgUcbRf8jrvikd/VczY83oKOZAMzqKgTejI6EDzeg4bDERNuftnqULxoXXPfG6v9krfDbdf0XoQLjCXaLpea2NXecnZXJn9gK/7u4bACHwMWEsF/+YMF5I4GPCRFLE5FKoUgv0RsC+xv1D14mzjXDWhOP4HkVDCCuw0TOg7ZoSe+IcDxF44hzPxp84JxATeOKcTI44gBz6tsBxz8kV3Mr9ySGQd6AQBIufA8mBljGr2c5LvboJrUlkjspoX0E2zmf8Wi7uCKu66bwVcqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3073575028.0000000001418000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001447000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ac861238af.exe, 00000010.00000003.7189145681.0000000000C76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: amert.exe, 00000007.00000003.1859371747.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001418000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000;
Source: RageMP131.exe, 0000002E.00000003.2194989877.0000000001011000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000001B.00000002.3354975509.0000000008120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: 1CMweaqlKp.exe, 00000000.00000003.1640238021.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: amert.exe, 00000007.00000003.1866578225.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c73
Source: netsh.exe, 00000016.00000003.1948196297.00000284B17C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
Source: MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 0000001B.00000003.3207696960.0000000008157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: MPGPH131.exe, 0000001B.00000002.3350736971.0000000001466000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ABA40470mm
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MPGPH131.exe, 0000001B.00000003.3248220823.0000000007CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}jp,w.jp,x.jp,y.jp,z.jp,a.za,b.za,c.za,d.za,e.za,f.za,g.za,h.za,i.za,j.za,k.za,l.za,m.za,n.za,o.za,p.za,q.z
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MPGPH131.exe, 0000001C.00000003.2505158116.00000000012C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91e
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsee
Source: RageMP131.exe, 0000002E.00000002.2637513543.000000000100E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: RegAsm.exe, 0000002F.00000002.2105971476.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ABA40470
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: d361f35322.exe, 00000024.00000003.2762447424.0000000001447000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JwZo/8MwiwHqIvXEAOVpRY7WnVBhrODe/dgRQYX3uczos12TJGMgUcbRf8jrvikd/VczY83oKOZAMzqKgTejI6EDzeg4bDERNuftnqULxoXXPfG6v9krfDbdf0XoQLjCXaLpea2NXecnZXJn9gK/7u4bACHwMWEsF/+YMF5I4GPCRFLE5FKoUgv0RsC+xv1D14mzjXDWhOP4HkVDCCuw0TOg7ZoSe+IcDxF44hzPxp84JxATeOKcTI44gBz6tsBxz8kV3Mr9ySGQd6AQBIufA8mBljGr2c5LvboJrUlkjspoX0E2zmf8Wi7uCKu66bwVcqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n8
Source: amert.exe, amert.exe, 00000007.00000002.1869091189.00000000007FE000.00000040.00000001.01000000.0000000B.sdmp, d361f35322.exe, d361f35322.exe, 00000009.00000002.3072417756.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, explorha.exe, 0000000B.00000002.1945729188.0000000000B1E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 0000001B.00000002.3349608067.0000000000A20000.00000040.00000001.01000000.00000012.sdmp, d361f35322.exe, 00000024.00000002.3073507178.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000002.2634385282.0000000000BB0000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RegAsm.exe, 0000002F.00000002.2105971476.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareO#
Source: RageMP131.exe, 0000002E.00000003.2194989877.0000000001009000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}yr
Source: explorta.exe, 00000005.00000002.1735792403.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: d361f35322.exe, 00000024.00000002.3088709368.0000000007C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsdd
Source: d361f35322.exe, 00000024.00000003.2819365667.000000000144A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n8
Source: d361f35322.exe, 00000009.00000003.1936676269.000000000142F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: d361f35322.exe, 00000024.00000003.2819365667.000000000144A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: file300un.exe, 00000032.00000002.7140120246.000001F380020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: d361f35322.exe, 00000009.00000003.2912737740.0000000007DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cqk7OT/SRzGzI8Fb4KGABhhMsrgTyXTudeKduS4BCrZLqtu5HCGjWWcBWT2zygyOzYKzWCB4Jda5PJQz8Bg1lJo/Rg0HDTxGjUQV41HdqVdyXOqVkn1e8dO8sqbbOolfg2AmVM0VryhWWcGcYcoKpvYpKwQ0TFnhqGI8amAyr3+9rX+lgDhnc2WN9VR7E/PZPX17mOSQ+bU93mgEU2hPoeE4CGTPhOwddnXof5xFfl5co7tcTE3iOHouxpfJr06qt2mtqWrYr3D+gjeU0Eqvi09rsYc3LTTeHa+hFdn7HjKUcFxD7a0pHdlY9wZ6cvN0VG0ObsC25C2riwgNYAv7HbHjH6+S+pQT0NqEUKNKMPsnM9F0i4ZT0ONhHH4K0iLOkQ+ptqEq0HRdBaJVFho0AvqstqJ34CR2TTVURHTY1TUmlt0dI7LXcHzzF9yfql/YAw6y7rQAN4mT6KSsNSB268R9S0jYt4RkfcsbwCi8b/me+Id1GWEHfcsbCyywb3nLGt63vEoK6zPCwH1LiO1bQmzfEpL0LSG8bwlRfUuI6Ft4qrK34myq2u1Ou91pp93JdVAzExFYJ6xLBQXWCaONCqwThe8NrBOKH/X+ObCnB79/DiSNfv8ciu5//xyMHu7TFz76gnz6wqmjfPqiZXh9+iJkRIRECRvxgSFRwogjQ6JESfCFRAmVEB4wIsmkFRQwIglfVMCIpHK9ASMSyQ2Pxhk43wZF4wwkjIrGGYrsjcYZjBw+VsJn/6CxEk4dNVaiZXjHSoSM8Mk2bMkJmmzDaKMm2yh872Qbin/Jia+RtPj9FRMJkjIDr7NVw3n
Source: d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: amert.exe, 00000007.00000002.1869091189.00000000007FE000.00000040.00000001.01000000.0000000B.sdmp, d361f35322.exe, 00000009.00000002.3072417756.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, explorha.exe, 0000000B.00000002.1945729188.0000000000B1E000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 0000001B.00000002.3349608067.0000000000A20000.00000040.00000001.01000000.00000012.sdmp, d361f35322.exe, 00000024.00000002.3073507178.0000000000B00000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000002.2634385282.0000000000BB0000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: d361f35322.exe, 00000009.00000002.3073575028.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ABA40470}
Source: RageMP131.exe, 0000002E.00000002.2637513543.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe

System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Code function: 9_2_052D03D1 Start: 052D06B7 End: 052D0461

9_2_052D03D1

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe

Code function: 7_2_05010B4F rdtsc

7_2_05010B4F

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_008A4130 mov eax, dword ptr fs:[00000030h]		9_2_008A4130
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Code function: 9_2_00871A60 mov eax, dword ptr fs:[00000030h]		9_2_00871A60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 193.233.132.56 80

.NET source code references suspicious native API functions

Source: swiiiii[1].exe.10.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "FreeConsole")
Source: swiiiii[1].exe.10.dr, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.GetModuleHandle(aScsrhgtr), "VirtualProtectEx")
Source: file300un[1].exe.10.dr, -.cs	Reference to suspicious API methods: _FDDD_FDFD_FBD0_066C_FDD3_0611_FDFC_FDD9.LoadLibrary(_FDD4_FD3E_06D8(_FD42_066A_061F_FBB7_060E_066D._0650_FBBC_FDE8))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe

Thread created: unknown EIP: 34419A0

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: RegAsm.exe, 0000001D.00000002.2189256789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Section loaded: NULL target: unknown protection: read write
Source: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe	Section loaded: NULL target: unknown protection: execute and read

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 629008
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BF3008
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BDB008

Source: C:\Users\user\Desktop\1CMweaqlKp.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe "C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe "C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Process created: C:\Users\user\1000021002\ac861238af.exe "C:\Users\user\1000021002\ac861238af.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe	Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe "C:\Users\user\AppData\Local\Temp\1000071001\jok.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe "C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Process created: unknown unknown
Source: C:\Users\user\1000021002\ac861238af.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe "C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe "C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Process created: C:\Users\user\AppData\Local\Temp\u6po.0.exe "C:\Users\user\AppData\Local\Temp\u6po.0.exe"
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Source: ac861238af.exe, 00000010.00000000.1932011901.0000000000762000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RageMP131.exe, 0000002E.00000002.2634385282.0000000000BB0000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: QProgram Manager

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\amert.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\ac861238af.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe	Queries volume information: C:\Users\user\1000021002\ac861238af.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000077001\jfesawdr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000079001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000080001\alexxxxxxxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000081001\install.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\swiiiii.exe VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: unknown VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000235001\toolspub1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000236001\4767d2e713f2021e8fe856e3ea638b58.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u6po.1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u6po.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

9_2_008BD2B0

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

9_2_008BD2B0

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\1000075001\file300un.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Source: RegAsm.exe, 0000001D.00000002.2278813474.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2274630744.0000000000D77000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 35.0.NewB.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.NewB.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorha.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.NewB.exe.e50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.amert.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1CMweaqlKp.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.explorta.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1721215690.00000000011E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2050930258.0000000000E51000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.2011865777.0000000000E51000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1626992485.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1904362561.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1663910421.0000000000C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1868102298.0000000000611000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663899661.0000000000731000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1826787054.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1732128904.0000000000701000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2069776940.0000000000E51000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1945079164.0000000000931000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1894101326.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5348, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 40.0.jok.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8672, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2840195887.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2839878527.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d361f35322.exe PID: 5772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d361f35322.exe PID: 8200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8964, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletRE
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletRE
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsons8
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RegAsm.exe, 0000001D.00000002.2196300199.00000000008F7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 5AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.wallet4Y)A%appdata%\Exodus\exodus.walletAkeystore
Source: MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\oobe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\kwTJRnYVwAQEhcNiCzeUXAdMAbCUXdSzVvyfmsqkGAXe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\5454e6f062\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\1000020001\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\1000021002\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Desktop\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Directory queried: number of queries: 1081

Source: Yara match	File source: 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d361f35322.exe PID: 5772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d361f35322.exe PID: 8200, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5348, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 40.0.jok.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jok.exe PID: 8672, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000071001\jok.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\jok[1].exe, type: DROPPED

Yara detected RisePro Stealer

Source: Yara match	File source: 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2840195887.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2839878527.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d361f35322.exe PID: 5772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d361f35322.exe PID: 8200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8964, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000031.00000002.2229022734.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2229087093.0000000003661000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.swiiii.exe.3cb5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.3.u6po.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.2151525456.0000000003CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000003.2152173443.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2102303995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	31 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	11 Scheduled Task/Job	712 Process Injection	111 Deobfuscate/Decode Files or Information	11 Input Capture	23 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	21 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	4 Obfuscated Files or Information	1 Credentials in Registry	328 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	21 Registry Run Keys / Startup Folder	1 Install Root Certificate	1 Credentials In Files	1 Query Registry	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Scheduled Task/Job	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	1371 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	671 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	671 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	712 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1CMweaqlKp.exe	50%	ReversingLabs	Win32.Trojan.Amadey
1CMweaqlKp.exe	44%	Virustotal		Browse
1CMweaqlKp.exe	100%	Avira	TR/Crypt.XPACK.Gen
1CMweaqlKp.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\1000021002\ac861238af.exe	100%	Avira	TR/AutoIt.zstul
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	100%	Avira	TR/Redcap.pernp
C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	100%	Joe Sandbox ML
C:\Users\user\1000021002\ac861238af.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sarra[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\file300un[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\GIz2DLitsyoTn14REJti2nqN.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	53%	Virustotal		Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\Users\user\1000021002\ac861238af.exe	35%	Virustotal		Browse
C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	34%	ReversingLabs
C:\Users\user\AppData\Local\5LzADXbR9e1baIzvWufsCa70.exe	44%	Virustotal		Browse
C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	32%	ReversingLabs
C:\Users\user\AppData\Local\5W1aDm1vpFLN4gyrIiISMc4h.exe	43%	Virustotal		Browse
C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	75%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\8sXk5E4IG9n4ZHu2M9Littnp.exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	32%	ReversingLabs
C:\Users\user\AppData\Local\9SmQs0R4T5RJUISklvcv02zp.exe	43%	Virustotal		Browse
C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	75%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\9WrQ2c2u5fxH1pcvCwwjGhdd.exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	43%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Aghrmi42Lz5QvS8u8U6BiVXQ.exe	43%	Virustotal		Browse
C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	75%	ReversingLabs	Win32.Trojan.Operaloader
C:\Users\user\AppData\Local\Bkg8NSHXvizTVBsjT3dzRvci.exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	43%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\C893DEcM3dAA247WrHBz1SDW.exe	43%	Virustotal		Browse
C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	34%	ReversingLabs
C:\Users\user\AppData\Local\CmCQsbfi77SnYQWckHTzUjRg.exe	44%	Virustotal		Browse
C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	34%	ReversingLabs
C:\Users\user\AppData\Local\H3bqnZf96LFIOlogieo3h5K9.exe	44%	Virustotal		Browse
C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	32%	ReversingLabs
C:\Users\user\AppData\Local\KHojJ9v7XtNSHZfW6gAnnH23.exe	43%	Virustotal		Browse
C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe	42%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\LIdx8BlqmZTW07MQOtXboF4f.exe	37%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	34%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4767d2e713f2021e8fe856e3ea638b58[1].exe	44%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	91%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe	85%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amert[1].exe	58%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://trade-inmyus.com/index.php	0%	URL Reputation	safe
http://trade-inmyus.com/index.php	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://trad-einmyus.com/index.php	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://tradein-myus.com/index.php	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
pillowbrocccolipe.shop	0%	Avira URL Cloud	safe
https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exev	0%	Avira URL Cloud	safe
https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exe	0%	Avira URL Cloud	safe
https://youtube.comVISITOR_INFO1_LIVE/	0%	Avira URL Cloud	safe
185.215.113.67:26260	100%	Avira URL Cloud	malware
https://youtube.comVISITOR_PRIVACY_METADATAv10	0%	Avira URL Cloud	safe
http://185.172.128.150/c698e1bc8a2f5e6d.php	0%	Avira URL Cloud	safe
cleartotalfisherwo.shop	0%	Avira URL Cloud	safe
185.215.113.67:26260	16%	Virustotal		Browse
http://193.233.132.56/cost/lenin.exe1	0%	Avira URL Cloud	safe
pillowbrocccolipe.shop	18%	Virustotal		Browse
cleartotalfisherwo.shop	18%	Virustotal		Browse
communicationgenerwo.shop	0%	Avira URL Cloud	safe
https://affordcharmcropwo.shop/d	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exe;x	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/go.exe4x	0%	Avira URL Cloud	safe
http://185.172.128.150/c698e1bc8a2f5e6d.php	20%	Virustotal		Browse
https://affordcharmcropwo.shop/z	0%	Avira URL Cloud	safe
https://affordcharmcropwo.shop/d	10%	Virustotal		Browse
worryfillvolcawoi.shop	0%	Avira URL Cloud	safe
https://youtube.comYSC/)?	0%	Avira URL Cloud	safe
diskretainvigorousiw.shop	0%	Avira URL Cloud	safe
https://junglethomas.com/	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe	100%	Avira URL Cloud	malware
worryfillvolcawoi.shop	18%	Virustotal		Browse
https://affordcharmcropwo.shop/z	13%	Virustotal		Browse
http://147.45.47.102:57893/hera/amadka.exer.dbl	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exe1	22%	Virustotal		Browse
http://193.233.132.56/cost/go.exehCorel.ba	0%	Avira URL Cloud	safe
https://affordcharmcropwo.shop/apitemb	0%	Avira URL Cloud	safe
diskretainvigorousiw.shop	18%	Virustotal		Browse
http://193.233.132.56/cost/go.exe	0%	Avira URL Cloud	safe
affordcharmcropwo.shop	0%	Avira URL Cloud	safe
communicationgenerwo.shop	17%	Virustotal		Browse
https://youtube.comVISITOR_PRIVACY_METADATA/(9	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe	20%	Virustotal		Browse
http://193.233.132.56/cost/lenin.exew.s	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exea.exe68.0l	0%	Avira URL Cloud	safe
https://junglethomas.com/	12%	Virustotal		Browse
http://193.233.132.56/cost/go.exe	25%	Virustotal		Browse
http://193.233.132.56/cost/go.exemadka.ex	0%	Avira URL Cloud	safe
affordcharmcropwo.shop	17%	Virustotal		Browse
https://youtube.comYSCv10	0%	Avira URL Cloud	safe
https://accounts.googl	0%	Avira URL Cloud	safe
https://affordcharmcropwo.shop:443/apiNAME=userUSERPROFILE=C:	0%	Avira URL Cloud	safe
https://youtube.comVISITOR_INFO1_LIVEv10%	0%	Avira URL Cloud	safe
enthusiasimtitleow.shop	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/go.exemadka.ex	22%	Virustotal		Browse
https://affordcharmcropwo.shop/api	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe.lv	0%	Avira URL Cloud	safe
enthusiasimtitleow.shop	17%	Virustotal		Browse
https://affordcharmcropwo.shop/api	22%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://trade-inmyus.com/index.php	true	URL Reputation: safe URL Reputation: safe	unknown
pillowbrocccolipe.shop	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
185.215.113.67:26260	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.150/c698e1bc8a2f5e6d.php	true	20%, Virustotal, Browse Avira URL Cloud: safe	unknown
cleartotalfisherwo.shop	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://trad-einmyus.com/index.php	true	URL Reputation: safe	unknown
communicationgenerwo.shop	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
worryfillvolcawoi.shop	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
diskretainvigorousiw.shop	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tradein-myus.com/index.php	true	URL Reputation: safe	unknown
affordcharmcropwo.shop	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
enthusiasimtitleow.shop	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exev	NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTo5#	RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/81.181.54.104	d361f35322.exe, 00000009.00000002.3073575028.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001429000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000139F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=81.181.54.1042	d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=81.181.54.1045	MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://junglethomas.com/b3e2dbff31c451a3fa7323ca95e661ba/4767d2e713f2021e8fe856e3ea638b58.exe	NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTI	d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.comVISITOR_INFO1_LIVE/	MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://youtube.comVISITOR_PRIVACY_METADATAv10	u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://ipinfo.io:443/widget/demo/81.181.54.1048	MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/lenin.exe1	RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001E.00000002.2095956248.000001D41EDE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=81.181.54.104	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000140C000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	jok.exe, 00000028.00000000.2051081332.00000000007C2000.00000002.00000001.01000000.00000018.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/account/v/	MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.000000000144A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mozilla.org0/	freebl3[1].dll.51.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=81.181.54.104	MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	false		high
https://affordcharmcropwo.shop/d	RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	d361f35322.exe, 00000009.00000002.3072030296.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 0000001B.00000003.2069728672.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3349331204.0000000000701000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001C.00000003.2070120899.0000000005180000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2021888097.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3072062602.00000000007E1000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000002E.00000003.2138214229.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2634123106.0000000000891000.00000040.00000001.01000000.0000001B.sdmp	false		high
http://193.233.132.56/cost/lenin.exe;x	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/go.exe4x	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000002.3073575028.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839845792.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2839809905.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://affordcharmcropwo.shop/z	RegAsm.exe, 0000001D.00000002.2273817779.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/account	d361f35322.exe, 00000009.00000003.2912274365.0000000007DC2000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189686015.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320418390.000000000336C000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320275710.0000000003355000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.2320347999.0000000003358000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7258589510.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7259110109.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, ac861238af.exe, 00000010.00000003.7189145681.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3205947734.0000000007CEB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3206133655.0000000008153000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2828616710.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2826400120.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840128095.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2832748402.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2836881277.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2873758197.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2840628725.0000000007CCF000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2830540798.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/accountkO	MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz	file300un.exe, 00000032.00000002.7140120246.000001F380091000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/	RageMP131.exe, 0000002E.00000002.2637513543.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botrisepro4.104	MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.maxmind.com/en/locate-my-ip-address	d361f35322.exe	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001E.00000002.2095956248.000001D41F008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/5	d361f35322.exe, 00000009.00000002.3073575028.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.comYSC/)?	d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTxR	d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://junglethomas.com/	NewB.exe, 00000023.00000003.2221273909.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/81.181.54.104Uz	d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=81.181.54.104XNN	RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/81.181.54.104	d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	RageMP131.exe, 0000002E.00000002.2671632274.000000000795D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.47.102:57893/hera/amadka.exe	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://147.45.47.102:57893/hera/amadka.exer.dbl	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/accountYouTube	MPGPH131.exe, 0000001B.00000003.3206207533.0000000008124000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820488974.0000000007CDD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820609546.0000000007CE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/go.exehCorel.ba	MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://affordcharmcropwo.shop/apitemb	RegAsm.exe, 0000001D.00000002.2274630744.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/81.181.54.104T	d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000102A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botP	MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/go.exe	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp	false	25%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/i	RageMP131.exe, 0000002E.00000002.2637513543.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/_	MPGPH131.exe, 0000001B.00000002.3350736971.0000000001417000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.comVISITOR_PRIVACY_METADATA/(9	d361f35322.exe, 00000009.00000003.2912110551.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://193.233.132.56/cost/lenin.exew.s	MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.56/cost/lenin.exea.exe68.0l	d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=81.181.54.104r	d361f35322.exe, 00000024.00000002.3079225585.000000000136B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/go.exemadka.ex	MPGPH131.exe, 0000001B.00000003.2943052576.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944589602.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944963727.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934727765.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2944248868.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942019558.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940827091.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3247558222.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3351318785.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT8	d361f35322.exe, 00000024.00000003.2840876152.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3088709368.0000000007C6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.comYSCv10	MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001E.00000002.2315360912.000001D42EE5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2095956248.000001D4207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT3	MPGPH131.exe, 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp	false		high
https://accounts.googl	d361f35322.exe, 00000024.00000003.2820673524.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822343743.0000000007C6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%	d361f35322.exe, 00000024.00000003.2820673524.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 0000001E.00000002.2095956248.000001D420547000.00000004.00000800.00020000.00000000.sdmp	false		high
https://affordcharmcropwo.shop:443/apiNAME=userUSERPROFILE=C:	RegAsm.exe, 0000001D.00000002.2226894863.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT&	d361f35322.exe, 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/Mozilla/5.0	d361f35322.exe, 00000009.00000002.3073575028.0000000001449000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000002.3350736971.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942487367.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2941258327.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2940853881.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2943456957.0000000001477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2934755710.0000000001477000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3079225585.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000002E.00000002.2637513543.000000000101B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.comVISITOR_INFO1_LIVEv10%	MPGPH131.exe, 0000001B.00000003.3204849861.0000000008153000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819272725.0000000007CB5000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819336338.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, u6po.0.exe, 00000033.00000003.2232787568.00000000220DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://ac.ecosia.org/autocomplete?q=	d361f35322.exe, 00000009.00000003.2768632315.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2767613201.0000000007DD3000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2912919495.0000000007DE2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.3207151088.0000000007D26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001B.00000003.2942633187.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2823800272.0000000007D04000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760693387.0000000007CF6000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759849367.0000000007CCC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot	RageMP131.exe, 0000002E.00000002.2637513543.0000000001038000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botl	d361f35322.exe, 00000024.00000003.2824519132.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762153720.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758759334.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2874193365.000000000143F000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000002.3081226044.0000000001440000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759980015.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760938757.0000000001442000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2760535342.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2825526740.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2762501264.0000000001441000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2822644005.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2758475716.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2819365667.0000000001444000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2820817674.0000000001443000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000024.00000003.2759415774.000000000143F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://affordcharmcropwo.shop/api	RegAsm.exe, 0000001D.00000002.2274630744.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2226894863.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/risepro_bote	d361f35322.exe, 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, d361f35322.exe, 00000009.00000003.2647485220.0000000001492000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.47.102:57893/hera/amadka.exe.lv	MPGPH131.exe, 0000001B.00000002.3354809697.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
104.26.5.15	unknown	United States	13335	CLOUDFLARENETUS	false
176.97.76.106	unknown	United Kingdom	43658	INTRAFFIC-ASUA	false
193.233.132.56	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
142.251.2.84	unknown	United States	15169	GOOGLEUS	false
193.233.132.234	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.172.128.150	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
142.250.68.68	unknown	United States	15169	GOOGLEUS	false
104.21.60.76	unknown	United States	13335	CLOUDFLARENETUS	false
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
104.21.67.211	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
77.221.151.47	unknown	Russian Federation	30968	INFOBOX-ASInfoboxruAutonomousSystemRU	false
189.195.132.134	unknown	Mexico	13999	MegaCableSAdeCVMX	false
172.67.169.89	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.20.3.235	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.14.67	unknown	United States	15169	GOOGLEUS	false
104.21.84.71	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.18.166	unknown	United States	13335	CLOUDFLARENETUS	false
31.41.44.147	unknown	Russian Federation	56577	ASRELINKRU	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	true
172.217.12.131	unknown	United States	15169	GOOGLEUS	false
104.21.92.190	unknown	United States	13335	CLOUDFLARENETUS	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.19.24	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.72.131	unknown	United States	15169	GOOGLEUS	false
142.250.189.14	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436254
Start date and time:	2024-05-04 05:51:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 20m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	58
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	1CMweaqlKp.exe renamed because original name is a hash value
Original Sample Name:	8a19d654cb37e4e51be045acaf097e74.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winEXE@133/199@0/39
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target 1CMweaqlKp.exe, PID 2912 because there are no executed function
Execution Graph export aborted for target amert.exe, PID 7928 because it is empty
Execution Graph export aborted for target explorta.exe, PID 8016 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
04:51:52	Task Scheduler	Run new task: explorta path: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
04:52:15	Task Scheduler	Run new task: explorha path: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
04:52:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run d361f35322.exe C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe
04:52:23	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
04:52:26	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
04:52:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
04:52:33	Task Scheduler	Run new task: NewB.exe path: C:\Users\user\AppData\Local\Temp\1000069001\NewB.exe
04:52:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ac861238af.exe C:\Users\user\1000021002\ac861238af.exe
04:52:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run d361f35322.exe C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe
04:53:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
05:51:56	API Interceptor	1879x Sleep call for process: explorta.exe modified
05:52:19	API Interceptor	2744x Sleep call for process: explorha.exe modified
05:52:30	API Interceptor	46x Sleep call for process: RegAsm.exe modified
05:52:30	API Interceptor	1756x Sleep call for process: NewB.exe modified
05:52:30	API Interceptor	37x Sleep call for process: powershell.exe modified
05:52:46	API Interceptor	1753562x Sleep call for process: d361f35322.exe modified
05:53:00	API Interceptor	1x Sleep call for process: WerFault.exe modified
05:53:10	API Interceptor	38201454x Sleep call for process: MPGPH131.exe modified
05:53:15	API Interceptor	88x Sleep call for process: RageMP131.exe modified
05:53:21	API Interceptor	6x Sleep call for process: jok.exe modified
05:53:22	API Interceptor	164x Sleep call for process: rundll32.exe modified
05:54:58	API Interceptor	438x Sleep call for process: file300un.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.132.139	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	193.233.132.139/rumba/buben.exe
	WlCIinu0yp.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT	Browse	193.233.132.139/padla/fiona.exe
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	193.233.132.139/padla/fiona.exe
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	193.233.132.139/silno/download.php
185.172.128.90	JlvRdFpwOD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838
	t8rEZVhm8F.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	LpCkcXmzD1.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	cdII5mhga0.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, Stealc, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	vUHPxHrwaD.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	u7p2rff5aP.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	Cl87xHpeUC.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, Stealc, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	WkyVbL3QZv.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	w9SuIZ5zTo.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	gpmpUMn9R3.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	SecuriteInfo.com.Trojan.Siggen28.41706.73.21156.exe	Get hash	malicious	Unknown	Browse	185.172.128.142
	SecuriteInfo.com.Trojan.Siggen28.41706.73.21156.exe	Get hash	malicious	Unknown	Browse	185.172.128.142
	exDbnS3M12.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.151
	qa4Ulla1BY.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.151
	U8uFcjIjAR.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	185.172.128.19
	JlvRdFpwOD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228
	tstreds.gagg.exe	Get hash	malicious	Atlantida Stealer	Browse	185.172.128.95
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	185.172.128.203
	Luminar_v4.0.1.hta	Get hash	malicious	Cobalt Strike, Atlantida Stealer	Browse	185.172.128.95
	VOrqSh1Fts.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse	185.172.128.203
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://herozheng.com/	Get hash	malicious	Unknown	Browse	34.117.152.183
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://wywljs.com/	Get hash	malicious	Unknown	Browse	34.117.152.183
	https://xdywna.com/	Get hash	malicious	Unknown	Browse	34.117.152.183
	https://mandrillapp.com/track/click/30551860/topbusiness.ro?p=eyJzIjoiWmkwVnFVYXdRYlFmYnVnd3Y3OWdtR2h1anpvIiwidiI6MSwicCI6IntcInVcIjozMDU1MTg2MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RvcGJ1c2luZXNzLnJvXFxcL3dwLWFkbWluXFxcL2pzXFxcL3dpZGdldHNcXFwvbWVkaWFcXFwvP2FjdGlvbj12aWV3JjE0MD1jMk52ZEhRdVpHRm9ibXRsUUd4allYUjBaWEowYjI0dVkyOXQmcjE9MTQwJnIyPTE0MCZub2lzZT00Q0hBUlwiLFwiaWRcIjpcImVjMTY1MjE1OWRhYTRjZTA5ZGZhODE5NTEzNzU2Mjg1XCIsXCJ1cmxfaWRzXCI6W1wiOGMyZTc5NjYyNTU5N2FjNDFlODZkYmM4MWMwMjI2MTFjZjYyYTIzMlwiXX0ifQ	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	34.117.188.166
	vEaFCBsRb7.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	oO2wHSVFJM.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://www.opustrustweb.com/EmailTrackerAPI/open?token=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..62tVk07eUS1tgkfaDkQOqQ.nL-JZjGlYSBu9AibCOqK7-wJ7VXqjfoMrgeXwHgP6tLPx4s2jjofEWjZh794Ex5FiocFlK50_YxzembNjUsYkjIjaFyaIpNIDSPFE46cBlrxNy-t9VcCVcfKZphrojE0.AXzXZielor8D6px-r_wTOg&url=https://minicursodamariana.fun/nu/slceitil@emfa.pt	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
FREE-NET-ASFREEnetEU	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	vEaFCBsRb7.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	oO2wHSVFJM.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	hYrJbjnzVc.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	KhbShPK91I.exe	Get hash	malicious	Unknown	Browse	193.233.132.56
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	MejqsB9tx9.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
WHOLESALECONNECTIONSNL	U8uFcjIjAR.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	185.215.113.67
	Mz1rpaUC0i.exe	Get hash	malicious	RedLine	Browse	185.215.113.117
	957C4XK6Lt.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	c3nBx2HQG2.exe	Get hash	malicious	Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.215.113.66
	file.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	185.215.113.46
	3RvPzfuxwM.exe	Get hash	malicious	RedLine	Browse	185.215.113.67
	bUWKfj04aU.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine	Browse	185.215.113.32
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	185.215.113.46
FREE-NET-ASFREEnetEU	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	vEaFCBsRb7.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	oO2wHSVFJM.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	hYrJbjnzVc.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	KhbShPK91I.exe	Get hash	malicious	Unknown	Browse	193.233.132.56
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	MejqsB9tx9.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	pYJeC4VJbw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	Wb9LZ5Sn1l.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	c4RAHq3BNl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	exDbnS3M12.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	qa4Ulla1BY.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	U8uFcjIjAR.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	JlvRdFpwOD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	0dN59ZIkEM.exe	Get hash	malicious	Vidar	Browse

Process:	C:\Users\user\AppData\Local\Temp\u6po.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 12, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 12
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.769103894580091
Encrypted:	false
SSDEEP:	96:Pxe9424im4/KlJiylsMjLslk5nYPphZEhcR2hO2mOwMU8tmKuzRk4PeOhZ3hcR1L:PxqZR8Z1txqWRHjNdaqlod8Itnb6Ggz
MD5:	5C6618D1A16E7CDC7483EEB2F8673CCC
SHA1:	F1AC3672B19A3B0B42530E5B4B35C1DC174A95BB
SHA-256:	B1A3506716B315D73158B363B031678C5372EDB4094A793557C0B44C9276087A
SHA-512:	02EABF44D6443533B8392CC52738F91806FF9931904413253564338A7A3C4921AD378B584F305ACBEC7464ADFB0182E433B72B30751E41165B25470E18BE1A2D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2390528
Entropy (8bit):	7.919291926748545
Encrypted:	false
SSDEEP:	49152:bGY5918NqwTEgTcQ26a+gdlb2SAc4CSf24JbhV6qDpEovLz8MBpUoo:ohTP6t299CczlXMSlo
MD5:	C1BF02296C415ABC8B1F0ED13088D96D
SHA1:	6506E74510BC28BE318B75736EA0B36C62C6766C
SHA-256:	EE57FAE40BB8457A507F59569B111660438812426852E7B13299E841E82E8302
SHA-512:	CF4F8314054472920878DA5237D258EF9E2C728AE1BB0487F5ACCE938A3842567BD3036F8C40F6A6D18501F8D80E9A4FE1E7F517F1315A47326A0F0D29317D03
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 53%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y...s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L.....2f...............'..............]...........@...........................].......$...@.................................^0..r....p........................\...............................\.................................@................... . .`..........................@....rsrc........p......................@....idata .....0......................@... ....@......................@...agovwish......D.....................@...lcjgmmfi......]......T$.............@....taggant.0....].."...X$.............@...........................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9262529916296979
Encrypted:	false
SSDEEP:	192:BiwrDiSYX6c0BU/uvFaGszuiFgZ24IO8Ed:Bi0DpYX6XBU/uvFadzuiFgY4IO8Ed
MD5:	9AD702CE02A0F52A90A53E6498973A48
SHA1:	C40437785F1B2C29B8CA788ADB8457B17C3D68CE
SHA-256:	98EC6B7889B1FFF50AB71A0594AB7CE34971331F29A5D67C972C0D7D39703E38
SHA-512:	8AF0854CC5B87E20D18D7455A49634C4D8BCE7B29A1CDF24F7285E522877E6436C8E75EF40502B787C7C51C76392F80C2361A2C510D3130C22164BB7E4CDDDFF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.2.6.8.3.4.6.9.8.6.8.0.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.2.6.8.3.4.9.6.4.6.9.5.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.5.9.1.c.c.2.-.a.5.5.d.-.4.4.5.2.-.b.1.0.5.-.c.1.5.c.d.a.3.8.f.1.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.e.c.c.8.8.0.-.6.5.6.1.-.4.d.0.1.-.9.9.0.5.-.6.9.e.8.7.5.9.0.d.a.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.w.i.i.i.i.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.M.S.T.P...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.1.c.-.0.0.0.1.-.0.0.1.4.-.5.1.f.0.-.c.6.7.8.d.6.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.f.4.0.2.9.a.9.7.d.3.e.3.4.2.c.a.a.8.8.8.2.3.7.5.d.c.b.c.2.b.1.0.0.0.0.0.9.0.4.!.0.0.0.0.3.3.a.e.d.a.d.b.5.3.6.1.f.1.6.4.6.c.f.f.d.6.8.7.9.1.d.7.2.b.a.5.f.1.4.2.4.1.1.4.!.

Process:	C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1166336
Entropy (8bit):	7.035569611926666
Encrypted:	false
SSDEEP:	24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8auw2+b+HdiJUX:oTvC/MTQYxsWR7auw2+b+HoJU
MD5:	34C3E84E001DB4CF23A94BE34D462F11
SHA1:	9B8C2530B209F24FE68453B6B0173C240F308DA9
SHA-256:	A72A1A6DDEA799284A544697471BE6F796CB7A0B7CF8857F3FDC7277EEAE10CC
SHA-512:	F31948B3F6A431BCC4297D7AC9CA36D362947202A9B9D4322476AFE5F60C1C8E13F1E7FD93E38410F3D6ED87B2C1920709C25A0F40A23BB602F8F374527DAA5B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 35%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....5f..........".................w.............@..........................0............@...@.......@.....................d...\|....@..\|a.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...\|a...@...b..................@..@.reloc...u.......v...V..............@..B........................................................................................................................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4406144
Entropy (8bit):	7.976285875147776
Encrypted:	false
SSDEEP:	98304:pjkS767mgfCql3JGv/ahl+SHfFvOcmDv82yK3QQoN3V/EE:pIS769aql4v/ahlHt2c0v7pgQoZ
MD5:	26D8B57793A75CEC9D9265BF16ED905C
SHA1:	F427028D21A2A6406BBB98CFB53851C3EA534883
SHA-256:	3C8C36618E1EAA925CFA7E7ADC78D22D3440C5D2DF88DF55C50E6FA3F2E1FA9E
SHA-512:	957704A0FB5877E43C96ADA9FAB01E3A193CFB0D79B4DFDE093AAE6432206477F7D8247D0A525AFCFEE62742056AAF4CF6E623DDBFCBE6A750B36F42051CC795
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 44%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.~....H...H...H...H...H...H...H...H%..H...H...H...Ha..H.].H...H...H...H.].H...HRich...H........................PE..L.....d.............................A....... ....@.................................uGC........................................<....... ............0C..............!..8............................y..@............ ..x............................text............................... ..`.rdata..Lm... ...n..................@..@.data.............?..~..............@....rsrc... ............ A.............@..@................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\1000073001\swiiii.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

Process:	C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	428544
Entropy (8bit):	6.494348537450964
Encrypted:	false
SSDEEP:	12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY
MD5:	0099A99F5FFB3C3AE78AF0084136FAB3
SHA1:	0205A065728A9EC1133E8A372B1E3864DF776E8C
SHA-256:	919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
SHA-512:	5AC4F3265C7DD7D172284FB28C94F8FC6428C27853E70989F4EC4208F9897BE91720E8EEE1906D8E843AB05798F3279A12492A32E8A118F5621AC5E1BE2031B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NewB[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91% Antivirus: Virustotal, Detection: 85%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wD..3%..3%..3%..hM..=%..hM...%..hM.. %...H..!%...H..'%...H..F%..hM.."%..3%...%...K..2%...Ko.2%...K..2%..Rich3%..........................PE..L.... Me..........................................@.......................................@.................................D...x....p...........................L..P...8...................,...........@............................................text............................... ..`.rdata..............................@..@.data....F... ...4..................@....rsrc........p.......:..............@..@.reloc...L.......N...<..............@..B................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14437
Entropy (8bit):	4.960379440179098
Encrypted:	false
SSDEEP:	384:iVib49PVoGIpN6KQkj2kkjh4iUxMhQzhIqYo8YKib4o:iFPV3IpNBQkj2Nh4iUxMhihIqYo8YR
MD5:	F2E1B889FAD5371C1763FB12D73B4EAE
SHA1:	AE45955F14208A1232CD0BB6EDEB1D5CC7C3CCA1
SHA-256:	F2EF4393FE68ED5FD087C4E656340A94B58D90B464F9427C2A01C7C880B8E95B
SHA-512:	0B5B26684345297B8540A7BA4D15BBDDF76B9319ABCD97835167C95EEF66B9119B7C2B63A210FB633F4A1CD0C5D23A4BDC6750C59CF0B5E53EF7B443F4E29D70
Malicious:	false
Preview:	PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Users\user\AppData\Local\Temp\1000019001\amert.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1885696
Entropy (8bit):	7.950545984341186
Encrypted:	false
SSDEEP:	49152:cEn984TQ5OfyNqCq9/eMwfbsbTWX/cEeprH+/hngYQgDqa:7e4M5eyNqCuGCT2/cprH+/Rgcea
MD5:	E67C8B3E5EC9F64052FCD2F45341CFA5
SHA1:	0D809A3D9BC171D7A0DCBF2B6C3F3B009444ADC9
SHA-256:	1A94AE9809AF376B056D751363C524C22284D4BD978F30723DEB2C1F8307245B
SHA-512:	FE4C0E98881465A6627522F1D484983EBC9298870107156986A5BD6E5DB78D7C4D1FDA9B2B2DE663EFD343FD90A01DF058A85895B8BB1347B2026FB327A66624
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...o..e..............................J...... ....@...........................J...........@.................................V...j............................J...............................J..................................................... . ............................@....rsrc...............................@....idata ............................@... .@*.........................@...avcjhwxy......0.....................@...nkwkrymv......J.....................@....taggant.0....J.."..................@...................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\1CMweaqlKp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1793040
Entropy (8bit):	7.95023297552325
Encrypted:	false
SSDEEP:	49152:mQKkQGW5tuFxaLTdYZWakRk43qB75IzCed:mvtH5AFYMWa5WqBSt
MD5:	8A19D654CB37E4E51BE045ACAF097E74
SHA1:	7A3A86421A806D2BA66AE84E86305847C8B1F766
SHA-256:	59B3AF1A244A082219116ED9B496DE99236B01AE42DF75BF4211ED2B7069BC4B
SHA-512:	DF54F9F61B5C9E9A79EDF17732B6BB630D945F813F00579B79F021735D3F3C6802A463D9D6F41A75D3703A86A0844B9F587C3961E44AE53045DDB25B67438681
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...yO&f............................X`<...........@...........................T......W....@..........................................0........................T.............................. ...................................................... J........,.................. ..` N........V...0..............@..@ .E... ......................@... .....p......................@..@ .K.......0..................@..B.vm_sec..@.......@..................@....idata..............................@....tls......... ...........................rsrc........0......................@..@.themida. 5..@......................`....boot....P...`<..P..................`..`.reloc........T......\.................@........................

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

Process:	C:\Users\user\AppData\Local\Temp\1000234001\ISetup8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	325632
Entropy (8bit):	6.7003892518717905
Encrypted:	false
SSDEEP:	3072:AkNSgvhj/pPlMy18blHV+pxuC0zPFgO3nOMiWAho4fOg1cUGwc6fAk15vBTFusKP:XL7Ha9V5g+mhqsGz6fL1VBpK0
MD5:	F2CE35E5AA2A7771759D7F424F2803AC
SHA1:	84EFB9F0C5194DBC9389A0D4D11941FCEA251F24
SHA-256:	FB1DABFF73054915AC62E6631D8ED79F64658AB3CC93AD990036F57056159C6F
SHA-512:	395D69AECED142DDDA5C83029926FA2E987D0EC2CBA7FA3C35B1F11DA2B94E915F4891088CF8839811E9B141D25B7ED85F2195C02B349E2FFC1D1EB942AB6FD1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.~....H...H...H...H...H...H...H...H%..H...H...H...Ha..H.].H...H...H...H.].H...HRich...H........................PE..L...d..d.....................z`......A....... ....@...........................a.....D..........................................<....._. ............................!..8............................y..@............ ..x............................text............................... ..`.rdata..Lm... ...n..................@..@.data...(.]......j...~..............@....rsrc... ....._.....................@..@................................................................................................................................................................................................................................................................................................................................................................

Entrypoint:	0x7c6058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66264F79 [Mon Apr 22 11:52:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9dfe5757453ac4b6ed82bf0cf7ab0266

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7109f	0xc0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x73000	0x7e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54b000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x72018	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x4e44a	0x22c00	a5e751a92a1947726cc67adfef4a0373	False	0.9998594874100719	data	7.9986661792698115	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x50000	0x11c4e	0x5600	85b290aba621320b3a049fa51378c3dd	False	0.9919149709302325	data	7.976162209855725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x62000	0x45a4	0x800	2a3e8ea4dc9277bcd556451c4ee91650	False	1.00537109375	data	7.830994967960864	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x67000	0x1e0	0x200	1b480a6bcbebe55da620b713671dc6c8	False	0.888671875	data	6.653586874235383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x68000	0x4bc4	0x3000	20c37b764ed7c0c6e76f0ba67ca90a84	False	0.98486328125	data	7.942117552678557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vm_sec	0x6d000	0x4000	0x4000	6cee6e2c9038a4e137fc8ad2cb72b7cb	False	0.161376953125	data	2.8770965350351982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x71000	0x1000	0x200	f9eef23d1138690aeba265ff5448dfca	False	0.3828125	data	2.863715215086496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x72000	0x1000	0x200	f6363c53ce07d09b61b63b66eb8cf6ba	False	0.056640625	data	0.18120187678200297	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x73000	0x1000	0x800	87acbb71b21ab4ae100181a4447d8be5	False	0.4111328125	data	5.44897069280421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x74000	0x352000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x3c6000	0x185000	0x185000	164450c06cec20e88bfe7678fc794b45	False	0.9902337473891388	data	7.955810157618839	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x54b000	0x1000	0x10	e9e9559f85469b458c40ee7aae3a2776	False	1.5	GLS_BINARY_LSB_FIRST	2.349601752714581	IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x73078	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727
RT_MANIFEST	0x73208	0x5d7	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.43478260869565216

DLL	Import
kernel32.dll	GetModuleHandleA
ADVAPI32.dll	RegCloseKey
SHELL32.dll	SHGetFolderPathA
ole32.dll	CoUninitialize
WININET.dll	HttpOpenRequestA
WS2_32.dll	closesocket

Target ID:	0
Start time:	05:51:51
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\1CMweaqlKp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1CMweaqlKp.exe"
Imagebase:	0x730000
File size:	1'793'040 bytes
MD5 hash:	8A19D654CB37E4E51BE045ACAF097E74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1626992485.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1663899661.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	05:51:54
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Imagebase:	0x700000
File size:	1'793'040 bytes
MD5 hash:	8A19D654CB37E4E51BE045ACAF097E74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1663910421.0000000000C90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	05:51:57
Start date:	04/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=2296,i,9301016893778941798,11505312185340456869,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1CMweaqlKp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Threatname: SmokeLoader

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CGDHDHJEBGHJKFIECBGCBGCAFI

C:\ProgramData\EHCBAAAF

Windows Analysis Report
1CMweaqlKp.exe

Target ID:	5
Start time:	05:52:00
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Imagebase:	0x700000
File size:	1'793'040 bytes
MD5 hash:	8A19D654CB37E4E51BE045ACAF097E74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.1721215690.00000000011E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.1732128904.0000000000701000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	05:52:01
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
Imagebase:
File size:	1'793'040 bytes
MD5 hash:	8A19D654CB37E4E51BE045ACAF097E74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	7
Start time:	05:52:09
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\Temp\1000019001\amert.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000019001\amert.exe"
Imagebase:	0x610000
File size:	1'885'696 bytes
MD5 hash:	E67C8B3E5EC9F64052FCD2F45341CFA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.1868102298.0000000000611000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000003.1826787054.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	05:52:14
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000020001\d361f35322.exe"
Imagebase:	0x7e0000
File size:	2'390'528 bytes
MD5 hash:	C1BF02296C415ABC8B1F0ED13088D96D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3073575028.0000000001456000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.3082656269.0000000007D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	05:52:17
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Imagebase:	0x930000
File size:	1'885'696 bytes
MD5 hash:	E67C8B3E5EC9F64052FCD2F45341CFA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000003.1904362561.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000002.1945079164.0000000000931000.00000040.00000001.01000000.0000000D.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	05:52:21
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xb50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	19
Start time:	05:52:22
Start date:	04/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	22
Start time:	05:52:23
Start date:	04/05/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profiles
Imagebase:	0x7ff6c8ed0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	26
Start time:	05:52:25
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Imagebase:	0x5a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	27
Start time:	05:52:26
Start date:	04/05/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x700000
File size:	2'390'528 bytes
MD5 hash:	C1BF02296C415ABC8B1F0ED13088D96D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001B.00000002.3354975509.0000000008152000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, Virustotal, Browse
Has exited:	false