Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1465696
MD5:	5ad5e4f1f3126c5d6cfdbfbbe5597c84
SHA1:	47b46cbe987e0e33c9d23f4c6cc304d116e5e80f
SHA256:	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
Tags:	Amadeyexe
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates a thread in another existing process (thread injection)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setup.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://40.86.87.10/108e010e8f91c38c.php#	Avira URL Cloud: Label: malware
Source: http://65.21.175.0	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpX	Avira URL Cloud: Label: phishing
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php=	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php9	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php7	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpo	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpl	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpd	Avira URL Cloud: Label: phishing
Source: http://40.86.87.10/108e010e8f91c38c.php4	Avira URL Cloud: Label: malware
Source: http://40.86.87.10	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/lend/stealc_zov.exeu	Avira URL Cloud: Label: phishing
Source: http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.php~1	Avira URL Cloud: Label: phishing
Source: http://cx5519.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phps	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpg	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apim	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpL	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpM	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpD	Avira URL Cloud: Label: malware
Source: http://65.21.175.0/108e010e8f91c38c.	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apik	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpU	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpR	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apiX	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpO	Avira URL Cloud: Label: malware
Source: http://65.21.175.0/b13597c85f807692/sqlite3.dll$	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/api4	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1317026

Found malware configuration

Source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}
Source: 18.2.Freshbuild.exe.30000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.116/Mb3GvQs8/index.php", "Version": "4.30"}
Source: 21.2.crypt6.exe.950000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": "4.185.56.82:42687", "Bot Id": "LiveTraffoc", "Message": "Error, disable antivirus and try again!", "Authorization Header": "238eb848efbf8f0276be0a0ec24f81cd"}
Source: BitLockerToGo.exe.1504.31.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyzi", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyze", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop"], "Build id": "DWWXLF--24524534563"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\786A.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\d3d9.dll	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: setup.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 185.172.128.116
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: /Mb3GvQs8/index.php
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: S-%lu-
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: b66a8ae076
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Hkbsse.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Startup
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: rundll32
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Programs
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: %USERPROFILE%
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: http://
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: https://
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: /Plugins/
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: &unit=
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: shell32.dll
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: kernel32.dll
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ProgramData\
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: AVAST Software
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Kaspersky Lab
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Panda Security
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Doctor Web
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 360TotalSecurity
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Bitdefender
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Norton
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Sophos
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Comodo
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: WinDefender
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 0123456789
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ------
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ?scr=1
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ComputerName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: -unicode-
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: VideoID
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ProductName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: CurrentBuild
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: rundll32.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: "taskkill /f /im "
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: " && timeout 1 && del
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: && Exit"
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: " && ren
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Powershell.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: shutdown -s -t 0
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: random
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetProcAddress
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LoadLibraryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcatA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OpenEventA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateEventA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CloseHandle
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Sleep
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemInfo
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HeapAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetComputerNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcpyA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetProcessHeap
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetCurrentProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrlenA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ExitProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: advapi32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: gdi32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: user32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: crypt32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ntdll.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateDCA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDeviceCaps
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ReleaseDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sscanf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VMwareVMware
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HAL9TH
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: JohnDoe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DISPLAY
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: http://65.21.175.0
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /108e010e8f91c38c.php
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /b13597c85f807692/
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: jopa
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileAttributesA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalLock
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HeapFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: IsWow64Process
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process32Next
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLocalTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FreeLibrary
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetVolumeInformationA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process32First
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLocaleInfoA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetModuleFileNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DeleteFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindNextFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LocalFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindClose
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LocalAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileSizeEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ReadFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SetFilePointer
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: WriteFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindFirstFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CopyFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualProtect
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLastError
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcpynA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: MultiByteToWideChar
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: WideCharToMultiByte
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OpenProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: TerminateProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetCurrentProcessId
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: gdiplus.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ole32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: bcrypt.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wininet.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: shlwapi.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: shell32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: psapi.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: rstrtmgr.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SelectObject
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BitBlt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DeleteObject
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateCompatibleDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdiplusStartup
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdiplusShutdown
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipDisposeImage
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoUninitialize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoInitialize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoCreateInstance
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptDecrypt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptSetProperty
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptDestroyKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetWindowRect
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDesktopWindow
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CloseWindow
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wsprintfA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CharToOemW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wsprintfW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegQueryValueExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegEnumKeyExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegOpenKeyExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegCloseKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegEnumValueA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptUnprotectData
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SHGetFolderPathA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ShellExecuteExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetOpenUrlA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetConnectA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetCloseHandle
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetOpenA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HttpSendRequestA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HttpOpenRequestA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetReadFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetCrackUrlA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrCmpCA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrStrA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrCmpCW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PathMatchSpecA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmStartSession
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmRegisterResources
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmGetList
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmEndSession
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_open
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_step
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_text
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_finalize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_close
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_blob
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encrypted_key
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PATH
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: NSS_Init
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: NSS_Shutdown
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_FreeSlot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_Authenticate
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\ProgramData\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: browser:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: profile:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: url:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: login:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: password:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OperaGX
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Network
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: .txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: TRUE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FALSE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: autofill
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: history
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: name:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: month:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: year:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: card:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Login Data
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Web Data
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: History
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: logins.json
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: formSubmitURL
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: usernameField
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encryptedUsername
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encryptedPassword
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: guid
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: cookies.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: formhistory.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: places.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: plugins
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Local Extension Settings
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Sync Extension Settings
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: IndexedDB
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera Stable
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera GX Stable
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CURRENT
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: chrome-extension_
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Local State
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: profiles.ini
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: chrome
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: opera
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: firefox
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wallets
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ProductName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ProcessorNameString
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DisplayName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DisplayVersion
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Network Info:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - IP: IP?
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Country: ISO?
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: System Summary:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - HWID:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - OS:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Architecture:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - UserName:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Computer Name:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Local Time:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - UTC:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Language:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Keyboards:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Laptop:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Running Path:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - CPU:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Threads:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Cores:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - RAM:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Display Resolution:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - GPU:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: User Agents:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Installed Apps:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: All Users:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Current User:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process List:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: system_info.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: freebl3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: mozglue.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: msvcp140.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: nss3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: softokn3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: vcruntime140.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Temp\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: .exe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: runas
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: open
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /c start
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %DESKTOP%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %APPDATA%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %USERPROFILE%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %DOCUMENTS%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %RECENT%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.lnk
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: files
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \discord\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Telegram Desktop\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: key_datas
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: map*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Telegram
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.tox
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.ini
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Password
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000001
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000002
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000003
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000004
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Pidgin
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \.purple\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: accounts.xml
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: token:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Valve\Steam
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SteamPath
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \config\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ssfn*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: config.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DialogConfig.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: libraryfolders.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: loginusers.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Steam\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: browsers
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: done
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: soft
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: https
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: POST
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HTTP/1.1
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: hwid
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: build
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: token
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: file_name
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: file
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: message
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: screenshot.jpg

Uses 32bit PE files

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbK& source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb0~ source: newlogs.exe, 0000001C.00000002.3869165497.00000000055D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB10008 FindFirstFileExW,		15_2_6CB10008
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006DAAD FindFirstFileExW,		18_2_0006DAAD

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 176.29.154.25 80
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80
Source: C:\Windows\explorer.exe	Network Connect: 102.187.252.37 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://65.21.175.0/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyzi
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyze
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://65.21.175.0/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor	IPs: 185.172.128.116
Source: Malware configuration extractor	URLs: 4.185.56.82:42687

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: build.exe.11.dr
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: FILE1.exe.11.dr

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.172.128.116 185.172.128.116

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NADYMSS-ASRU NADYMSS-ASRU
Source: Joe Sandbox View	ASN Name: LEVEL3US LEVEL3US
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D5BD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

11_2_00D5BD30

Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116//
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-1003
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-10031
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-10035
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exe
Source: axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exe;
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exeG
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exef
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exes
Source: ZharkBOT.exe, 00000023.00000003.1801769575.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.00000000036CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php1=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpC
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpL
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpM=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcoded
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcoded-(Rcx
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcodedn(
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpd
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpded
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpn
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpo
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpq
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpu
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php~=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/a
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000006B8000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php27eb6a46da1cb8e815a609f758924517
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php4
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php7
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php9
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php:
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php=
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpD
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpL
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpM
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpO
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpR
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpS
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpU
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpg
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phplectrum
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phposition:
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phppera
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpppData
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phps
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dllt
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllR
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllT
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll:O
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllF
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllh
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll$
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllv
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll&O
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllHO
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllT
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/sqlite3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10d
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.d
Source: axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://43.153.49.49:8888/down/TpWWMUpe0LEV.exe
Source: ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.0000000002926000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/1
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.0000000002926000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.
Source: aspnet_regiis.exe, 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.php
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.php5
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpE
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpP
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpb
Source: aspnet_regiis.exe, 00000011.00000002.2979412810.000000000099A000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dll
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dll$
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllg
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllx
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175W
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000130001
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000131001
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000144001
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php32
Source: axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php7
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php70551e6e5747850f04add5fc4bc#
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php8
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpFA
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpM
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpN
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpX
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpZharkBOT.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpbA
Source: axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpd
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpemp
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpl
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phplA
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phplN
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpo
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php~1
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/f
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/crypt6.exe
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newbuild.exe
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newbuild.exeT
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newlogs.exe
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newlogs.exeD
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe7
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exeu
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/t%
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ZharkBOT.exe, 00000023.00000003.1789825008.00000000035AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros8i
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000022.00000000.1687380427.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688702793.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688737269.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Ent
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000034D9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003215000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000344B000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/hM
Source: explorer.exe, 00000022.00000000.1685006963.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3366911211.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://admin.atlassian.com
Source: explorer.exe, 00000022.00000000.1690337457.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.1890857549.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.bitbucket.org
Source: crypt6.exe, 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, RegAsm.exe, 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, newbuild.exe, 00000021.00000000.1648456279.0000000000E55000.00000002.00000001.01000000.00000015.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000022.00000000.1685006963.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001723000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1449527562.0000000001720000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/R
Source: axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/67e8095f-ddaa-
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/%7Bfb83dd9a-6600-46cd-b25f-7b5decba6275%7D/
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/account/sdgdf/avatar/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f49fa1a70b1ea6d80e22bac709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729cE
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f49fa1a70b1ea6d80e22bac709b9568a348ca9adec25b3fbf8b44263e4ab627c65d172:
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ferences.SourceAumid/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/gateway/api/emoji/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/m
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/onal
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/FILE1.exe
Source: axplong.exe, 0000000B.00000003.1507798051.000000000620C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe3456789
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe8
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1449527562.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe6789
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.status.atlassian.com/
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/
Source: axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/app.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/aui-8.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/locales/en.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/vendor.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/jsi18n/en/djangojs.js
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: streamer.exe, streamer.exe, 0000000E.00000002.1636684412.00007FF7E5C0B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/login
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/logout
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/manage-profile/
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: streamer.exe	String found in binary or memory: https://login.chinacloudapi.cn/mergeRuneSets
Source: streamer.exe	String found in binary or memory: https://login.microsoftonline.com/bad
Source: streamer.exe	String found in binary or memory: https://login.microsoftonline.us/too
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1691672162.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000364B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1693084005.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1692548488.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000364B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/
Source: BitLockerToGo.exe, 0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1642251556.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747224489.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789130872.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786737002.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747513352.00000000036ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653312909.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api
Source: BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api1m
Source: BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api4
Source: BitLockerToGo.exe, 0000001F.00000003.1747224489.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747513352.00000000036ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apiX
Source: BitLockerToGo.exe, 0000001F.00000003.1691672162.00000000036EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apia4
Source: BitLockerToGo.exe, 0000001F.00000002.1789130872.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786737002.00000000036F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apik
Source: BitLockerToGo.exe, 0000001F.00000003.1642251556.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653312909.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apim
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/c
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/h
Source: BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000365C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/l
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000365C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/l/
Source: BitLockerToGo.exe, 0000001F.00000003.1665322987.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/m
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://preferences.atlassian.com
Source: streamer.exe, streamer.exe, 0000000E.00000002.1636684412.00007FF7E5C0B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/
Source: axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/download/ZharkBOT.exe
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/
Source: Hkbsse.exe, 00000013.00000003.1609070300.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.000000000372B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.0000000003720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.000000000372B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.0000000003720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe(nmb%
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe4c6d8c1b3aeaJz
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exeqz
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000022.00000003.1891078527.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000022.00000000.1685006963.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

PE file contains section with special chars

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:

PE file has a writeable .text section

Source: stealc_zov[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_zov.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02630 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,		15_2_6CB02630
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004CA9A NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,		18_2_0004CA9A

Creates files inside the system directory

Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File created: C:\Windows\Tasks\Hkbsse.job			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D5E410	11_2_00D5E410
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D54CD0	11_2_00D54CD0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D93048	11_2_00D93048
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D87D63	11_2_00D87D63
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D54AD0	11_2_00D54AD0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D96EE9	11_2_00D96EE9
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D9763B	11_2_00D9763B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D92BB0	11_2_00D92BB0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D9775B	11_2_00D9775B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D98700	11_2_00D98700
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB012D0	15_2_6CB012D0
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02630	15_2_6CB02630
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02F20	15_2_6CB02F20
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB165B5	15_2_6CB165B5
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0A9D0	15_2_6CB0A9D0
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02D40	15_2_6CB02D40
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0003A909	18_2_0003A909
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00039910	18_2_00039910
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00073048	18_2_00073048
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_000560A2	18_2_000560A2
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00051512	18_2_00051512
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0007763B	18_2_0007763B
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00078700	18_2_00078700
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0007775B	18_2_0007775B
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00034AD0	18_2_00034AD0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00072BB0	18_2_00072BB0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00034CD0	18_2_00034CD0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00053D01	18_2_00053D01
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00050D23	18_2_00050D23
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00067D63	18_2_00067D63
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00076EE9	18_2_00076EE9

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 0004DE90 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 0004D852 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 00047F00 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: String function: 6CB0BB30 appears 33 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312

PE file contains more sections than normal

Source: streamer[1].exe.11.dr	Static PE information: Number of sections : 12 > 10
Source: streamer.exe.11.dr	Static PE information: Number of sections : 12 > 10

Uses 32bit PE files

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: whiteheroin[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: setup.exe	Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: setup.exe	Static PE information: Section: vbhkqplo ZLIB complexity 0.9950141504249707
Source: axplong.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: axplong.exe.1.dr	Static PE information: Section: vbhkqplo ZLIB complexity 0.9950141504249707

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@49/64@0/18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00976550 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

17_2_00976550

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1196
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user~1\AppData\Local\Temp\8254624243

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe

File opened: C:\Windows\system32\b5f2b550938247c50a552a9aee8222fc4554bb3927f888f9f3ea73ce6fcb4e3fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_zov.exe, 0000001E.00000003.3099165661.0000000021316000.00000004.00000020.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003606000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003699000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: setup.exe

ReversingLabs: Detection: 68%

Source: setup.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: streamer.exe	String found in binary or memory: lkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlin
Source: streamer.exe	String found in binary or memory: lkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlin
Source: streamer.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin
Source: streamer.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dcbedta C:\Users\user\AppData\Roaming\dcbedta
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\50EC.exe C:\Users\user~1\AppData\Local\Temp\50EC.exe
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\50EC.exe C:\Users\user~1\AppData\Local\Temp\50EC.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: C:\ProgramData\34vgn892c.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: perfos.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: pdh.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: perfos.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: amsi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wininet.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: userenv.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: profapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: version.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wldp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: netutils.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: schannel.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: propsys.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: edputil.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: slc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: sppc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: setup.exe

Static file information: File size 1949696 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: setup.exe

Static PE information: Raw size of vbhkqplo is bigger than: 0x100000 < 0x1aa800

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbK& source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb0~ source: newlogs.exe, 0000001C.00000002.3869165497.00000000055D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\setup.exe	Unpacked PE file: 1.2.setup.exe.780000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 11.2.axplong.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Unpacked PE file: 29.2.1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dcbedta	Unpacked PE file: 39.2.dcbedta.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 41.2.axplong.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;

Binary contains a suspicious time stamp

Source: newlogs[1].exe.11.dr

Static PE information: 0xB6B5349D [Sat Feb 19 08:13:17 2067 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0005BEA9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0005BEA9

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: newlogs[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x53c92
Source: crypt6[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x81a12
Source: crypt6.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x81a12
Source: newbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x59272
Source: stealc_zov[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x30e30
Source: stealc_zov.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x30e30
Source: axplong.exe.1.dr	Static PE information: real checksum: 0x1ea8f3 should be: 0x1e4112
Source: whiteheroin[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x1373ab
Source: setup.exe	Static PE information: real checksum: 0x1ea8f3 should be: 0x1e4112
Source: Freshbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x755f6
Source: Freshbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x755f6
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x1373ab
Source: ZharkBOT.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x132e9a
Source: ZharkBOT[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x132e9a
Source: newlogs.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x53c92
Source: newbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x59272

PE file contains sections with non-standard names

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: vbhkqplo
Source: setup.exe	Static PE information: section name: oxgxjklu
Source: setup.exe	Static PE information: section name: .taggant
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: vbhkqplo
Source: axplong.exe.1.dr	Static PE information: section name: oxgxjklu
Source: axplong.exe.1.dr	Static PE information: section name: .taggant
Source: whiteheroin[1].exe.11.dr	Static PE information: section name: ._LW
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: section name: ._LW
Source: streamer[1].exe.11.dr	Static PE information: section name: .xdata
Source: streamer.exe.11.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D6D82C push ecx; ret	11_2_00D6D83F
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB16CE4 push ecx; ret	15_2_6CB16CF7
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB362E5 push ecx; ret	15_2_6CB362F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 17_2_00978EE5 push ecx; ret	17_2_00978EF8
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00041314 push ecx; retn 0000h	18_2_00041315
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004064F push ss; iretd	18_2_00040650
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004D82C push ecx; ret	18_2_0004D83F
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DED6 push ecx; ret	18_2_0004DEE9

Source: setup.exe	Static PE information: section name: entropy: 7.985661636626442
Source: setup.exe	Static PE information: section name: vbhkqplo entropy: 7.954343379648948
Source: axplong.exe.1.dr	Static PE information: section name: entropy: 7.985661636626442
Source: axplong.exe.1.dr	Static PE information: section name: vbhkqplo entropy: 7.954343379648948
Source: whiteheroin[1].exe.11.dr	Static PE information: section name: .text entropy: 7.945036065819348
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: section name: .text entropy: 7.945036065819348

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	File created: C:\ProgramData\34vgn892c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	File created: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dcbedta	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\50EC.exe	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\786A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ZharkBOT[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	File created: C:\ProgramData\34vgn892c.exe	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dcbedta

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\ProgramData\34vgn892c.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2
Source: C:\ProgramData\34vgn892c.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\dcbedta:Zone.Identifier read attributes | delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0004C66B GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0004C66B

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\ProgramData\34vgn892c.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\34vgn892c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\34vgn892c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	API/Special instruction interceptor: Address: 7FFB2CECD584
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FA2432
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FB9E6B
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: 12F7E15
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: E0AA71
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: 1025B80
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FE8181
Source: C:\Users\user\AppData\Roaming\dcbedta	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Roaming\dcbedta	API/Special instruction interceptor: Address: 7FFB2CECD584

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0.EXEHOLLOWS_HUNTER32VGAUTHSERVICE.EXEPROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXECALLED `OPTION::UNWRAP()` ON A `NONE` VALUEC:\USERS\MAGNU\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS
Source: 1.exe, 0000001D.00000002.1731834087.0000000002E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXECALLED `OPTION::UNWRAP()` ON A `NONE` VALUEC:\USERS\MAGNU\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 7EF41B second address: 7EF425 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 96FE79 second address: 96FE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 970197 second address: 9701A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9701A1 second address: 9701A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97356B second address: 973585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Ch 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973585 second address: 97358B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97358B second address: 9735B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973600 second address: 97368A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC3513526F9h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 mov cx, 5190h 0x00000016 push B3BFDC6Ch 0x0000001b pushad 0x0000001c jmp 00007FC3513526F4h 0x00000021 push ecx 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pop ecx 0x00000025 popad 0x00000026 add dword ptr [esp], 4C402414h 0x0000002d and ecx, dword ptr [ebp+122D27D5h] 0x00000033 push 00000003h 0x00000035 jno 00007FC3513526ECh 0x0000003b push 00000000h 0x0000003d jmp 00007FC3513526ECh 0x00000042 push 00000003h 0x00000044 pushad 0x00000045 mov esi, dword ptr [ebp+122D2D31h] 0x0000004b popad 0x0000004c push 8E9412B7h 0x00000051 pushad 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97386E second address: 973873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973920 second address: 973925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973925 second address: 97398A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2EF1DE6Dh 0x00000010 mov ecx, 4B220AD7h 0x00000015 push 00000003h 0x00000017 mov dx, D290h 0x0000001b push 00000000h 0x0000001d push 00000003h 0x0000001f mov ch, dl 0x00000021 push C0D8C695h 0x00000026 jmp 00007FC35137F194h 0x0000002b xor dword ptr [esp], 00D8C695h 0x00000032 mov ecx, dword ptr [ebp+122D2B6Dh] 0x00000038 movzx esi, dx 0x0000003b lea ebx, dword ptr [ebp+12458475h] 0x00000041 and edi, 701767C8h 0x00000047 xchg eax, ebx 0x00000048 push ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FC35137F18Bh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97398A second address: 97398E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 984CB7 second address: 984CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99450C second address: 994516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994516 second address: 994524 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994524 second address: 99452A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962EF0 second address: 962F15 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC35137F18Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC35137F190h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962F15 second address: 962F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9924A6 second address: 9924AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9924AC second address: 9924BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9927E2 second address: 9927E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9927E6 second address: 99280A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FC3513526EEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992AC1 second address: 992ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC35137F186h 0x0000000a popad 0x0000000b jmp 00007FC35137F18Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992ADA second address: 992AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992AED second address: 992AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992DC4 second address: 992DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC3513526E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FC3513526E6h 0x00000012 js 00007FC3513526E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992DDC second address: 992E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007FC35137F186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FC35137F192h 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992F81 second address: 992F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962EFA second address: 962F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC35137F190h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993203 second address: 993209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993209 second address: 99320D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 95F856 second address: 95F85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993683 second address: 9936A1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC35137F199h 0x00000008 jng 00007FC35137F186h 0x0000000e jmp 00007FC35137F18Dh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994392 second address: 99439C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3513526F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99439C second address: 9943A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 998380 second address: 9983A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jg 00007FC3513526E6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9983A3 second address: 9983AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9983AB second address: 9983BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007FC3513526F8h 0x0000000c jo 00007FC3513526F2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99BC70 second address: 99BCAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC35137F190h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FC35137F18Ch 0x00000011 pushad 0x00000012 jmp 00007FC35137F196h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1032 second address: 9A1038 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1038 second address: 9A1056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FC35137F188h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC35137F18Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1056 second address: 9A1064 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3513526E8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0484 second address: 9A048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A048C second address: 9A0490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0490 second address: 9A0494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A075F second address: 9A076A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A076A second address: 9A0773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0773 second address: 9A07AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 jmp 00007FC3513526F9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 js 00007FC3513526E6h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A07AD second address: 9A07B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0E9B second address: 9A0EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41C8 second address: 9A41CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41CE second address: 9A41E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41E3 second address: 9A41E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41E7 second address: 9A41F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4811 second address: 9A4815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4815 second address: 9A4819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4907 second address: 9A490B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4E26 second address: 9A4E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EBD second address: 9A4EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EC2 second address: 9A4EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EC8 second address: 9A4ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4ECC second address: 9A4EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jg 00007FC3513526E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A615C second address: 9A6162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A73C7 second address: 9A73E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC3513526F9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A6C25 second address: 9A6C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7FF5 second address: 9A8008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A9E2C second address: 9A9E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A9E31 second address: 9A9E70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC3513526F4h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D2323h] 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2C5Dh] 0x0000001c push 00000000h 0x0000001e movzx esi, di 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jno 00007FC3513526ECh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 955774 second address: 955780 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC35137F186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 955780 second address: 9557A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FC3513526E6h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FC351352700h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC3513526EAh 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADAE6 second address: 9ADAEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADAEC second address: 9ADB0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC3513526F4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADB0D second address: 9ADB11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADB11 second address: 9ADB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AEAD5 second address: 9AEB72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FC35137F19Ah 0x0000000f jmp 00007FC35137F194h 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FC35137F188h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D289Ah], edx 0x00000038 push 00000000h 0x0000003a mov edi, ecx 0x0000003c push 00000000h 0x0000003e jbe 00007FC35137F196h 0x00000044 jmp 00007FC35137F190h 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edi 0x0000004c pushad 0x0000004d popad 0x0000004e pop edi 0x0000004f pop eax 0x00000050 push eax 0x00000051 push edi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC35137F199h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFA53 second address: 9AFACE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FC3513526E8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 clc 0x00000026 push eax 0x00000027 jmp 00007FC3513526F0h 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FC3513526E8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 add edi, dword ptr [ebp+122D2D71h] 0x0000004f push 00000000h 0x00000051 mov ebx, edi 0x00000053 add dword ptr [ebp+122D27D0h], edi 0x00000059 xchg eax, esi 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d jnc 00007FC3513526E6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFACE second address: 9AFAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB178 second address: 9AB17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFAD2 second address: 9AFB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FC35137F186h 0x0000000d jmp 00007FC35137F198h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADC85 second address: 9ADC93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB17F second address: 9AB199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FC35137F186h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFB00 second address: 9AFB15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB199 second address: 9AB19F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADD34 second address: 9ADD65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3513526F3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADD65 second address: 9ADD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FC35137F188h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B1DE0 second address: 9B1E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F7h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jne 00007FC3513526E6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2394 second address: 9B2415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor di, 230Bh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FC35137F188h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jl 00007FC35137F186h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FC35137F188h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f or ebx, dword ptr [ebp+122D2AD5h] 0x00000055 push edx 0x00000056 mov ebx, dword ptr [ebp+122D39E4h] 0x0000005c pop ebx 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jmp 00007FC35137F18Dh 0x00000066 pushad 0x00000067 popad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2415 second address: 9B2451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EFh 0x00000008 jmp 00007FC3513526ECh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3513526F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2451 second address: 9B246B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B4345 second address: 9B434A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B43E5 second address: 9B43E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B534B second address: 9B5350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B4515 second address: 9B458E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, 772D068Bh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov bx, si 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 jnc 00007FC35137F18Dh 0x0000002a mov eax, dword ptr [ebp+122D0539h] 0x00000030 mov ebx, 712494A3h 0x00000035 push FFFFFFFFh 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007FC35137F188h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 movsx edi, cx 0x00000054 mov bx, 578Fh 0x00000058 nop 0x00000059 push eax 0x0000005a jng 00007FC35137F188h 0x00000060 pushad 0x00000061 popad 0x00000062 pop eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 jnp 00007FC35137F186h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B633D second address: 9B63A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FC3513526EEh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FC3513526E8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a add dword ptr [ebp+122D18D8h], edi 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1BB7h], edi 0x00000038 push 00000000h 0x0000003a or edi, 5246F0E6h 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 jns 00007FC3513526F5h 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B63A4 second address: 9B63A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B552C second address: 9B553F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007FC3513526E6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B553F second address: 9B5543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5543 second address: 9B5549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5549 second address: 9B554F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B554F second address: 9B5553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5553 second address: 9B5617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c cmc 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FC35137F188h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e call 00007FC35137F191h 0x00000033 mov edi, dword ptr [ebp+122D2C49h] 0x00000039 pop ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 jno 00007FC35137F191h 0x00000047 mov eax, dword ptr [ebp+122D0B69h] 0x0000004d sub dword ptr [ebp+1247C85Bh], ecx 0x00000053 push edi 0x00000054 mov bx, di 0x00000057 pop edi 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ecx 0x0000005d call 00007FC35137F188h 0x00000062 pop ecx 0x00000063 mov dword ptr [esp+04h], ecx 0x00000067 add dword ptr [esp+04h], 00000017h 0x0000006f inc ecx 0x00000070 push ecx 0x00000071 ret 0x00000072 pop ecx 0x00000073 ret 0x00000074 movsx ebx, ax 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push esi 0x0000007b jmp 00007FC35137F193h 0x00000080 pop esi 0x00000081 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B84F3 second address: 9B84F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BA581 second address: 9BA585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7639 second address: 9B7643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7643 second address: 9B7647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7647 second address: 9B7659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FC3513526E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BB3D9 second address: 9BB3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007FC35137F18Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B97A9 second address: 9B97B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC4AF second address: 9BC4B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC4B6 second address: 9BC503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 60131316h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FC3513526E8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push ecx 0x0000002a mov di, cx 0x0000002d pop ebx 0x0000002e add edi, 41BE1FE6h 0x00000034 push 00000000h 0x00000036 mov edi, 68E4EC34h 0x0000003b xchg eax, esi 0x0000003c jmp 00007FC3513526EAh 0x00000041 push eax 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC503 second address: 9BC509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2F2 second address: 9BE2F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2F7 second address: 9BE2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2FD second address: 9BE319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC3513526F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD4F8 second address: 9BD512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F196h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD512 second address: 9BD5BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, 1F95h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov edi, esi 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov dword ptr [ebp+122D28E8h], ecx 0x00000028 mov eax, dword ptr [ebp+122D1621h] 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FC3513526E8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 push FFFFFFFFh 0x0000004a mov di, 5000h 0x0000004e nop 0x0000004f pushad 0x00000050 pushad 0x00000051 jmp 00007FC3513526F7h 0x00000056 push esi 0x00000057 pop esi 0x00000058 popad 0x00000059 jmp 00007FC3513526F3h 0x0000005e popad 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push ebx 0x00000063 jmp 00007FC3513526F2h 0x00000068 pop ebx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 967EE6 second address: 967EF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C62D2 second address: 9C62D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C62D7 second address: 9C62DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C6548 second address: 9C654E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD6E4 second address: 9CD6FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD80E second address: 9CD812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD812 second address: 9CD845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007FC35137F192h 0x00000010 jnc 00007FC35137F18Ch 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC35137F193h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD845 second address: 9CD854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD965 second address: 9CD973 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD973 second address: 9CD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD977 second address: 9CD999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F192h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jnl 00007FC35137F186h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD999 second address: 9CD9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526F7h 0x00000008 jmp 00007FC3513526F1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 je 00007FC3513526E8h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push edi 0x0000001e jmp 00007FC3513526F1h 0x00000023 pop edi 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007FC3513526EEh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD9FD second address: 9CDA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDA02 second address: 9CDA14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D61D9 second address: 9D61DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D4EED second address: 9D4EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54BF second address: 9D54C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54C5 second address: 9D54D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC3513526ECh 0x0000000c jng 00007FC3513526E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54D7 second address: 9D54DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54DD second address: 9D54E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5641 second address: 9D564D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC35137F186h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D590D second address: 9D5911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5911 second address: 9D5917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5917 second address: 9D591D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A6D second address: 9D5A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A71 second address: 9D5A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A75 second address: 9D5A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A81 second address: 9D5A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A85 second address: 9D5A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D42 second address: 9D5D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D46 second address: 9D5D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D4C second address: 9D5D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3513526ECh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D61 second address: 9D5D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F197h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jnc 00007FC35137F186h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D8A second address: 9D5D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D6064 second address: 9D608E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FC35137F186h 0x00000009 jmp 00007FC35137F192h 0x0000000e pop edi 0x0000000f jne 00007FC35137F192h 0x00000015 jnp 00007FC35137F186h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DF48D second address: 9DF49F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDED4 second address: 9DDED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE024 second address: 9DE02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE186 second address: 9DE18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE733 second address: 9DE739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE8B0 second address: 9DE8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC35137F186h 0x0000000a jl 00007FC35137F186h 0x00000010 popad 0x00000011 jmp 00007FC35137F191h 0x00000016 jnp 00007FC35137F188h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007FC35137F192h 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEBCF second address: 9DEBE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEDC4 second address: 9DEDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEEFA second address: 9DEF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF00 second address: 9DEF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF0A second address: 9DEF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF12 second address: 9DEF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF18 second address: 9DEF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FC3513526ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987CDB second address: 987D0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC35137F199h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D0C second address: 987D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D12 second address: 987D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D16 second address: 987D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D23 second address: 987D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jbe 00007FC35137F188h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 js 00007FC35137F186h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDB8D second address: 9DDB92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDB92 second address: 9DDBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC35137F186h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDBA2 second address: 9DDBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDBB0 second address: 9DDBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F20 second address: 9E5F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F26 second address: 9E5F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F2A second address: 9E5F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4D25 second address: 9E4D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC35137F190h 0x0000000b popad 0x0000000c jo 00007FC35137F192h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4D44 second address: 9E4D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4E94 second address: 9E4E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4E9E second address: 9E4EAE instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4EAE second address: 9E4EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4EB2 second address: 9E4EB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4FE7 second address: 9E4FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4FED second address: 9E4FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E571A second address: 9E572D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5863 second address: 9E586B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B34 second address: 9A2B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B38 second address: 9A2B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B3C second address: 9A2B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B42 second address: 9A2B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B48 second address: 9A2B5E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jc 00007FC35137F18Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A315F second address: 9A31B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FC3513526F4h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ebx 0x00000015 jmp 00007FC3513526F8h 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31B3 second address: 9A31D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FC35137F195h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31D8 second address: 9A31DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31DF second address: 9A3254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FC35137F188h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov edi, 60D96B26h 0x00000027 call 00007FC35137F199h 0x0000002c add dword ptr [ebp+122D17D4h], eax 0x00000032 pop ecx 0x00000033 push CA6D4DAAh 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007FC35137F18Dh 0x00000040 jmp 00007FC35137F18Fh 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33D2 second address: 9A33D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33D6 second address: 9A33EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F192h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33EC second address: 9A3419 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jg 00007FC3513526F9h 0x00000010 pop ecx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A35F4 second address: 9A366A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC35137F188h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 stc 0x00000026 push 00000004h 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007FC35137F188h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 mov ecx, dword ptr [ebp+122D1BE6h] 0x00000048 sub cx, 430Ch 0x0000004d nop 0x0000004e jmp 00007FC35137F196h 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A366A second address: 9A366E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A366E second address: 9A3681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3681 second address: 9A3685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39ED second address: 9A39F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39F3 second address: 9A39F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39F9 second address: 9A39FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9E88 second address: 9E9E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9E8C second address: 9E9EE5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FC35137F188h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 pushad 0x00000016 jmp 00007FC35137F195h 0x0000001b jmp 00007FC35137F193h 0x00000020 jmp 00007FC35137F198h 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9EE5 second address: 9E9EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA1E6 second address: 9EA1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA34E second address: 9EA357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA357 second address: 9EA35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EFB45 second address: 9EFB67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC3513526F6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EFB67 second address: 9EFB6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9612AD second address: 9612B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9612B6 second address: 9612BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2CE7 second address: 9F2D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EBh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b je 00007FC3513526F2h 0x00000011 jne 00007FC3513526E6h 0x00000017 jo 00007FC3513526E6h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007FC3513526E8h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2D16 second address: 9F2D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Ch 0x00000009 jmp 00007FC35137F18Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2893 second address: 9F28A7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC3513526E6h 0x00000008 jmp 00007FC3513526EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F28A7 second address: 9F28B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FC35137F186h 0x00000009 pop esi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F8CF9 second address: 9F8D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F92E6 second address: 9F92EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE125 second address: 9FE157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FC3513526F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE157 second address: 9FE17B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC35137F199h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE17B second address: 9FE181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD64C second address: 9FD652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD652 second address: 9FD656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD656 second address: 9FD65A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD65A second address: 9FD667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD667 second address: 9FD670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD670 second address: 9FD674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD674 second address: 9FD678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FDC0F second address: 9FDC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FDC13 second address: 9FDC27 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC35137F18Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EB4 second address: A03EBA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EBA second address: A03EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EC4 second address: A03EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A02A2F second address: A02A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A02E6E second address: A02E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3896 second address: 9A38B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F196h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0329F second address: A032A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03BDD second address: A03BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03BE1 second address: A03BEA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A09EFA second address: A09F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A09F00 second address: A09F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A209 second address: A0A223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC35137F18Dh 0x0000000a jnc 00007FC35137F186h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A4DD second address: A0A4E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A765 second address: A0A76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0AA61 second address: A0AA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3513526F2h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0ACE6 second address: A0ACED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0ACED second address: A0ACF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC3513526E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 958C38 second address: 958C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F193h 0x00000009 jo 00007FC35137F186h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FC35137F186h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 958C60 second address: 958C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F767 second address: A0F76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F76D second address: A0F771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F771 second address: A0F777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F8E9 second address: A0F905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526ECh 0x00000007 jns 00007FC3513526F2h 0x0000000d jg 00007FC3513526E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FB8D second address: A0FB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FB92 second address: A0FB9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FE27 second address: A0FE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FE2D second address: A0FE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10132 second address: A1013C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1013C second address: A10147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10147 second address: A10154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC35137F186h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10154 second address: A1015C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1015C second address: A10160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D167 second address: A1D16D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D16D second address: A1D179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC35137F186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D179 second address: A1D17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1BAFD second address: A1BB15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC35137F18Eh 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1BB15 second address: A1BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007FC3513526ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1AF58 second address: A1AF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC35137F198h 0x0000000f jc 00007FC35137F186h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260D9 second address: A260F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260F4 second address: A260F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260F8 second address: A260FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25AC9 second address: A25ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC35137F186h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25ADA second address: A25B0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007FC3513526E8h 0x00000010 push ecx 0x00000011 jbe 00007FC3513526E6h 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007FC3513526E6h 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25B0D second address: A25B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25C30 second address: A25C54 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FC3513526EAh 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC3513526EDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25E39 second address: A25E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25E3F second address: A25E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4A9 second address: A3D4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4B3 second address: A3D4B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4B7 second address: A3D4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4C1 second address: A3D517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F2h 0x00000007 jmp 00007FC3513526F5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007FC3513526E8h 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007FC3513526ECh 0x0000001c popad 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 jmp 00007FC3513526F1h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D672 second address: A3D6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007FC35137F186h 0x0000000c popad 0x0000000d jne 00007FC35137F192h 0x00000013 jmp 00007FC35137F18Ch 0x00000018 pushad 0x00000019 jmp 00007FC35137F18Fh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D6A3 second address: A3D6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D6A9 second address: A3D6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jg 00007FC35137F186h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A424FE second address: A42504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A42504 second address: A4250A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4250A second address: A42510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A42510 second address: A4251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4251A second address: A4251E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4251E second address: A42524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B27 second address: A43B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B2D second address: A43B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B33 second address: A43B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5560A second address: A55610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5534B second address: A55354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A55354 second address: A5535E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A58F2E second address: A58F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F8h 0x00000009 jno 00007FC3513526E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A58C3A second address: A58C5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FC35137F1AFh 0x0000000d jmp 00007FC35137F190h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B73 second address: A67B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B77 second address: A67B9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FC35137F18Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007FC35137F18Fh 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B9D second address: A67BB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67BB0 second address: A67BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67A07 second address: A67A0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6D9 second address: A6B6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007FC35137F186h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6E6 second address: A6B6EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6EC second address: A6B6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6D047 second address: A6D04E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6D04E second address: A6D05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6CF06 second address: A6CF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6CF0A second address: A6CF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A65779 second address: A6577F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6577F second address: A6579D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC35137F186h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FC35137F18Bh 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6579D second address: A657A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A657A2 second address: A657AC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC35137F192h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A657AC second address: A657B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A7A171 second address: A7A177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A7A177 second address: A7A17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A962B8 second address: A962BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96594 second address: A965A4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC3513526E6h 0x00000008 jnl 00007FC3513526E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965A4 second address: A965B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965B6 second address: A965EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3513526EFh 0x00000009 push edi 0x0000000a pop edi 0x0000000b jne 00007FC3513526E6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FC3513526F2h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965EC second address: A965F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965F2 second address: A965F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965F6 second address: A965FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965FA second address: A96600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96600 second address: A96606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96606 second address: A96610 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3513526ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A0B second address: A96A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A11 second address: A96A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A16 second address: A96A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A1C second address: A96A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96D04 second address: A96D1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F195h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96D1E second address: A96D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1A6 second address: A9A1E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push esi 0x0000000c jmp 00007FC35137F190h 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FC35137F18Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1E7 second address: A9A1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1ED second address: A9A1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9CF4A second address: A9CF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F080 second address: A9F08A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F08A second address: A9F0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526EAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F0A2 second address: A9F0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F191h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0013C second address: 4F00142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00142 second address: 4F00146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00146 second address: 4F0014A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0014A second address: 4F001A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC35137F18Fh 0x00000010 adc al, FFFFFFAEh 0x00000013 jmp 00007FC35137F199h 0x00000018 popfd 0x00000019 mov esi, 15016337h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC35137F199h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F001A4 second address: 4F001E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 pushfd 0x00000006 jmp 00007FC3513526F8h 0x0000000b adc al, FFFFFFB8h 0x0000000e jmp 00007FC3513526EBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FC3513526EBh 0x00000020 mov dx, ax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0E88 second address: 4EE0EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC35137F18Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EA3 second address: 4EE0EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EA7 second address: 4EE0EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EAD second address: 4EE0EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EBE second address: 4EE0EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EC2 second address: 4EE0EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f mov ebx, eax 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC3513526EDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3000E second address: 4F3003A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d mov di, ax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov esi, 7BD47A9Dh 0x0000001a mov eax, 4E032399h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3003A second address: 4F30050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F30050 second address: 4F30054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F30054 second address: 4F3009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FC3513526F7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx edx, ax 0x00000016 pushfd 0x00000017 jmp 00007FC3513526ECh 0x0000001c and ecx, 105714B8h 0x00000022 jmp 00007FC3513526EBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00EC second address: 4EC00F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00F0 second address: 4EC00F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00F6 second address: 4EC00FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00FC second address: 4EC0100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0100 second address: 4EC0114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edi, si 0x00000011 mov al, BFh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0114 second address: 4EC011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC011A second address: 4EC011E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC011E second address: 4EC0136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007FC3513526EAh 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0136 second address: 4EC015C instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ax, 3463h 0x0000000b popad 0x0000000c push dword ptr [ebp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC35137F195h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC015C second address: 4EC017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC017A second address: 4EC017E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC017E second address: 4EC0182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0182 second address: 4EC0188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC020A second address: 4EC0219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0B85 second address: 4EE0BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC35137F194h 0x0000000a jmp 00007FC35137F195h 0x0000000f popfd 0x00000010 popad 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov si, bx 0x00000019 pushfd 0x0000001a jmp 00007FC35137F18Bh 0x0000001f sbb eax, 0F0A105Eh 0x00000025 jmp 00007FC35137F199h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0730 second address: 4EE0734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0734 second address: 4EE073A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE073A second address: 4EE07AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526F8h 0x00000008 pushfd 0x00000009 jmp 00007FC3513526F2h 0x0000000e add ah, 00000078h 0x00000011 jmp 00007FC3513526EBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov bl, 2Dh 0x0000001e pushfd 0x0000001f jmp 00007FC3513526F0h 0x00000024 jmp 00007FC3513526F5h 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07AD second address: 4EE07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07B1 second address: 4EE07B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07B7 second address: 4EE07BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07BD second address: 4EE07C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07C1 second address: 4EE0808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FC35137F190h 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007FC35137F18Ch 0x0000001c or eax, 3CCA55C8h 0x00000022 jmp 00007FC35137F18Bh 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0647 second address: 4EE065B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE065B second address: 4EE065F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE065F second address: 4EE0685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FC3513526ECh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3513526EAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0685 second address: 4EE0689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0689 second address: 4EE068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE068F second address: 4EE0695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0695 second address: 4EE06BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FC3513526F4h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE06BA second address: 4EE06BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE06BE second address: 4EE06C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0412 second address: 4EE0458 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 62F2356Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FC35137F190h 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FC35137F190h 0x00000016 mov ebp, esp 0x00000018 jmp 00007FC35137F190h 0x0000001d pop ebp 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov ax, 72D3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EF01ED second address: 4EF01F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EF01F1 second address: 4EF020E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F004FC second address: 4F00585 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 30DC8F50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC3513526F9h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FC3513526EBh 0x0000001d and si, 6C5Eh 0x00000022 jmp 00007FC3513526F9h 0x00000027 popfd 0x00000028 jmp 00007FC3513526F0h 0x0000002d popad 0x0000002e mov eax, dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov eax, ebx 0x00000036 jmp 00007FC3513526F9h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00585 second address: 4F0058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0058B second address: 4F005B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e pushad 0x0000000f mov al, 00h 0x00000011 popad 0x00000012 and dword ptr [eax+04h], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005B5 second address: 4F005B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005B9 second address: 4F005CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005CD second address: 4F005DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005DF second address: 4F005F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3513526EAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005F4 second address: 4F005FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005FA second address: 4F005FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0600 second address: 4EE0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0606 second address: 4EE060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0000D second address: 4F00013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00013 second address: 4F00017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00312 second address: 4F00365 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC35137F192h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC35137F193h 0x00000015 xor si, CBDEh 0x0000001a jmp 00007FC35137F199h 0x0000001f popfd 0x00000020 mov di, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00365 second address: 4F00397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FC3513526EEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3513526EAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00397 second address: 4F0039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0039B second address: 4F003A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F003A1 second address: 4F003B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205C3 second address: 4F205C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205C8 second address: 4F205CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205CE second address: 4F205D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205D2 second address: 4F205D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205D6 second address: 4F205E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205E7 second address: 4F205EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205EB second address: 4F205F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205F1 second address: 4F206AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 pushfd 0x00000007 jmp 00007FC35137F195h 0x0000000c sub ecx, 1B426C96h 0x00000012 jmp 00007FC35137F191h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e jmp 00007FC35137F193h 0x00000023 popad 0x00000024 xchg eax, ecx 0x00000025 pushad 0x00000026 mov edi, eax 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007FC35137F18Dh 0x0000002f xchg eax, ecx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FC35137F18Ch 0x00000037 adc esi, 11321648h 0x0000003d jmp 00007FC35137F18Bh 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007FC35137F198h 0x00000049 adc al, FFFFFFA8h 0x0000004c jmp 00007FC35137F18Bh 0x00000051 popfd 0x00000052 popad 0x00000053 mov eax, dword ptr [778165FCh] 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov edx, 7E919216h 0x00000060 mov esi, edx 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206AC second address: 4F206B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206B2 second address: 4F206B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206B6 second address: 4F206FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007FC3513526EEh 0x0000000f je 00007FC3C3BC597Eh 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FC3513526EEh 0x0000001c add ax, ED68h 0x00000021 jmp 00007FC3513526EBh 0x00000026 popfd 0x00000027 mov ch, 37h 0x00000029 popad 0x0000002a mov ecx, eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push edi 0x00000030 pop eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206FF second address: 4F20748 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edi, 4F5611BAh 0x0000000c popad 0x0000000d xor eax, dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FC35137F193h 0x00000019 adc cx, 860Eh 0x0000001e jmp 00007FC35137F199h 0x00000023 popfd 0x00000024 push eax 0x00000025 pop edi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20748 second address: 4F2077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FC3513526EEh 0x00000011 ror eax, cl 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3513526EAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2077A second address: 4F2077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2077E second address: 4F20784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20784 second address: 4F2078A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2078A second address: 4F2078E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2078E second address: 4F207C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 jmp 00007FC35137F194h 0x0000000e retn 0004h 0x00000011 nop 0x00000012 mov esi, eax 0x00000014 lea eax, dword ptr [ebp-08h] 0x00000017 xor esi, dword ptr [007E2014h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push eax 0x00000020 lea eax, dword ptr [ebp-10h] 0x00000023 push eax 0x00000024 call 00007FC355AFF964h 0x00000029 push FFFFFFFEh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC35137F197h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F207C9 second address: 4F20862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC3513526ECh 0x00000011 sbb si, 9E08h 0x00000016 jmp 00007FC3513526EBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FC3513526F8h 0x00000022 adc cl, 00000068h 0x00000025 jmp 00007FC3513526EBh 0x0000002a popfd 0x0000002b popad 0x0000002c ret 0x0000002d nop 0x0000002e push eax 0x0000002f call 00007FC355AD2F3Fh 0x00000034 mov edi, edi 0x00000036 jmp 00007FC3513526F6h 0x0000003b xchg eax, ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FC3513526F7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20862 second address: 4F2086A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2086A second address: 4F2091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FC3513526EDh 0x0000000f jmp 00007FC3513526EBh 0x00000014 popfd 0x00000015 mov ah, 99h 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a call 00007FC3513526F1h 0x0000001f call 00007FC3513526F0h 0x00000024 pop ecx 0x00000025 pop edi 0x00000026 pushfd 0x00000027 jmp 00007FC3513526F0h 0x0000002c jmp 00007FC3513526F5h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 jmp 00007FC3513526EEh 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov ecx, ebx 0x00000040 pushfd 0x00000041 jmp 00007FC3513526F9h 0x00000046 jmp 00007FC3513526EBh 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED001F second address: 4ED0025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0025 second address: 4ED0058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC3513526F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0058 second address: 4ED0075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0075 second address: 4ED0079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0079 second address: 4ED007F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED007F second address: 4ED0094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6017h 0x00000007 mov al, E6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and esp, FFFFFFF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0094 second address: 4ED00A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED00A4 second address: 4ED00E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FC3513526F2h 0x00000013 jmp 00007FC3513526F5h 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED00E0 second address: 4ED0137 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC35137F190h 0x00000008 xor cl, 00000078h 0x0000000b jmp 00007FC35137F18Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FC35137F198h 0x00000019 add eax, 11007BD8h 0x0000001f jmp 00007FC35137F18Bh 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0137 second address: 4ED013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED013B second address: 4ED0141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0141 second address: 4ED0154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 62B7CE9Eh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, ax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0154 second address: 4ED015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED015A second address: 4ED015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED015E second address: 4ED0178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC35137F18Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0178 second address: 4ED019C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED019C second address: 4ED01AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED01AB second address: 4ED01E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov ecx, 3FB294FFh 0x00000012 popad 0x00000013 mov ebx, dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC3513526F1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED01E8 second address: 4ED023A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FC35137F18Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FC35137F191h 0x00000016 call 00007FC35137F190h 0x0000001b mov ch, 36h 0x0000001d pop edx 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED023A second address: 4ED0240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0240 second address: 4ED028E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B533h 0x00000007 pushfd 0x00000008 jmp 00007FC35137F198h 0x0000000d adc ax, D938h 0x00000012 jmp 00007FC35137F18Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f mov esi, 67C1478Bh 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007FC35137F18Eh 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED028E second address: 4ED02DC instructions: 0x00000000 rdtsc 0x00000002 mov bh, CFh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007FC3513526EAh 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FC3513526F7h 0x00000017 add ecx, 5F25F10Eh 0x0000001d jmp 00007FC3513526F9h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED02DC second address: 4ED035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, F2h 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007FC35137F196h 0x0000000d test esi, esi 0x0000000f jmp 00007FC35137F190h 0x00000014 je 00007FC3C3C3D48Fh 0x0000001a jmp 00007FC35137F190h 0x0000001f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000026 pushad 0x00000027 mov eax, 795F45ADh 0x0000002c call 00007FC35137F18Ah 0x00000031 mov dh, cl 0x00000033 pop ebx 0x00000034 popad 0x00000035 je 00007FC3C3C3D474h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FC35137F199h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED035E second address: 4ED0385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526EDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0385 second address: 4ED03D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FC35137F18Eh 0x00000011 test edx, 61000000h 0x00000017 pushad 0x00000018 mov eax, 007936BDh 0x0000001d mov eax, 7F0781B9h 0x00000022 popad 0x00000023 jne 00007FC3C3C3D451h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC35137F18Bh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED03D0 second address: 4ED03F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EFh 0x00000008 mov ah, 2Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test byte ptr [esi+48h], 00000001h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED03F1 second address: 4ED040D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F198h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED040D second address: 4ED042F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526ECh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FC3C3C10968h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, 72A0h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED042F second address: 4ED044F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 call 00007FC35137F18Eh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test bl, 00000007h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED044F second address: 4ED0453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0453 second address: 4ED0457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0457 second address: 4ED045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0778 second address: 4EC077D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC077D second address: 4EC0783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0783 second address: 4EC07E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FC35137F18Ch 0x0000000f or ch, 00000008h 0x00000012 jmp 00007FC35137F18Bh 0x00000017 popfd 0x00000018 mov si, 827Fh 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FC35137F190h 0x00000027 add cx, 0E68h 0x0000002c jmp 00007FC35137F18Bh 0x00000031 popfd 0x00000032 mov eax, 6AF42C5Fh 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC07E1 second address: 4EC07E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC07E7 second address: 4EC0823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC35137F18Bh 0x00000009 adc ax, 325Eh 0x0000000e jmp 00007FC35137F199h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and esp, FFFFFFF8h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edx 0x0000001e pop eax 0x0000001f push edx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0823 second address: 4EC0907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 39EDh 0x00000007 mov edi, eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d pushad 0x0000000e mov ax, 4B21h 0x00000012 pushfd 0x00000013 jmp 00007FC3513526EEh 0x00000018 xor eax, 70BD70B8h 0x0000001e jmp 00007FC3513526EBh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007FC3513526F9h 0x0000002b xchg eax, ebx 0x0000002c jmp 00007FC3513526EEh 0x00000031 xchg eax, esi 0x00000032 jmp 00007FC3513526F0h 0x00000037 push eax 0x00000038 pushad 0x00000039 call 00007FC3513526F1h 0x0000003e pushfd 0x0000003f jmp 00007FC3513526F0h 0x00000044 add ch, FFFFFFD8h 0x00000047 jmp 00007FC3513526EBh 0x0000004c popfd 0x0000004d pop eax 0x0000004e mov ebx, 44F86D1Ch 0x00000053 popad 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 pushfd 0x00000059 jmp 00007FC3513526F7h 0x0000005e xor esi, 485E6F4Eh 0x00000064 jmp 00007FC3513526F9h 0x00000069 popfd 0x0000006a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0907 second address: 4EC094C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bh, ah 0x00000008 popad 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov dx, E5BAh 0x00000011 pushfd 0x00000012 jmp 00007FC35137F18Bh 0x00000017 or ax, 9D5Eh 0x0000001c jmp 00007FC35137F199h 0x00000021 popfd 0x00000022 popad 0x00000023 sub ebx, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC094C second address: 4EC0950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0950 second address: 4EC0954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0954 second address: 4EC095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC095A second address: 4EC095F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC095F second address: 4EC09F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC3513526F7h 0x0000000a add cl, 0000001Eh 0x0000000d jmp 00007FC3513526F9h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC3513526F3h 0x00000021 sub eax, 11F2822Eh 0x00000027 jmp 00007FC3513526F9h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FC3513526F0h 0x00000033 adc ch, FFFFFFA8h 0x00000036 jmp 00007FC3513526EBh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC09F5 second address: 4EC0A7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC3C3C44B02h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC35137F18Ch 0x00000016 adc cx, 8D38h 0x0000001b jmp 00007FC35137F18Bh 0x00000020 popfd 0x00000021 popad 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FC35137F18Eh 0x00000032 xor eax, 7D880798h 0x00000038 jmp 00007FC35137F18Bh 0x0000003d popfd 0x0000003e call 00007FC35137F198h 0x00000043 pop esi 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A7D second address: 4EC0A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A99 second address: 4EC0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A9D second address: 4EC0AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AA1 second address: 4EC0AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AA7 second address: 4EC0AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AB6 second address: 4EC0ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0ABA second address: 4EC0AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC3C3C17FC7h 0x0000000e jmp 00007FC3513526F5h 0x00000013 test byte ptr [77816968h], 00000002h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov dh, AFh 0x0000001f mov dl, ah 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AEC second address: 4EC0B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC3C3C44A47h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC35137F197h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B16 second address: 4EC0B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B1A second address: 4EC0B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B20 second address: 4EC0B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B26 second address: 4EC0B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC35137F199h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B4C second address: 4EC0B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B52 second address: 4EC0B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B56 second address: 4EC0B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B5A second address: 4EC0BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FC35137F192h 0x0000000f popad 0x00000010 mov dword ptr [esp], ebx 0x00000013 pushad 0x00000014 mov esi, edi 0x00000016 mov si, bx 0x00000019 popad 0x0000001a push ebx 0x0000001b pushad 0x0000001c jmp 00007FC35137F18Eh 0x00000021 popad 0x00000022 mov dword ptr [esp], ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov edi, esi 0x0000002a mov ecx, 6C7B2A6Bh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BA0 second address: 4EC0BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov esi, 5084F33Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+14h] 0x00000011 jmp 00007FC3513526F2h 0x00000016 push dword ptr [ebp+10h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC3513526F7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BDF second address: 4EC0BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BE5 second address: 4EC0BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C05 second address: 4EC0C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C09 second address: 4EC0C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C0F second address: 4EC0C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FC35137F190h 0x0000000f pop ebx 0x00000010 jmp 00007FC35137F190h 0x00000015 mov esp, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C47 second address: 4EC0C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 99A9CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: A28DCE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: F6A9CF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: FF8DCE instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1520000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 8D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 4590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 3120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 2F20000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_04F40C63 rdtsc

1_2_04F40C63

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 783	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 843	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 789	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 3452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Window / User API: threadDelayed 9620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6490
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Window / User API: threadDelayed 9999
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Window / User API: threadDelayed 2175
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4949
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 743
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 734
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 701

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	Dropped PE file which has not been started: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\786A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	Dropped PE file which has not been started: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

API coverage: 3.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7564	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7564	Thread sleep time: -82041s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7548	Thread sleep count: 745 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7548	Thread sleep time: -1490745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7524	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7524	Thread sleep time: -8070000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7540	Thread sleep count: 718 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7540	Thread sleep time: -1436718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7648	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7556	Thread sleep count: 783 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7556	Thread sleep time: -1566783s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep count: 843 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep time: -1686843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7552	Thread sleep count: 789 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7552	Thread sleep time: -1578789s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep count: 3452 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep time: -6907452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 8188	Thread sleep count: 9620 > 30
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 8188	Thread sleep time: -288600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 6696	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2860	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe TID: 4016	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe TID: 2864	Thread sleep time: -59994000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3260	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe TID: 5664	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 5576	Thread sleep time: -494900s >= -30000s
Source: C:\Windows\explorer.exe TID: 4580	Thread sleep time: -74300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe TID: 2348	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\34vgn892c.exe TID: 4512	Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\34vgn892c.exe TID: 4512	Thread sleep time: -1380000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\50EC.exe TID: 7508	Thread sleep time: -30000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\ProgramData\34vgn892c.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Last function: Thread delayed
Source: C:\ProgramData\34vgn892c.exe	Last function: Thread delayed
Source: C:\ProgramData\34vgn892c.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB10008 FindFirstFileExW,		15_2_6CB10008
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006DAAD FindFirstFileExW,		18_2_0006DAAD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00975DA0 GetSystemInfo,

17_2_00975DA0

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Thread delayed: delay time: 30000
Source: C:\ProgramData\34vgn892c.exe	Thread delayed: delay time: 30000
Source: C:\ProgramData\34vgn892c.exe	Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V kwcbewswwrbpkye Bus Pipes
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorQ!
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016A0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.00000000035E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitioni
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0.exehollows_hunter32VGAuthService.exeprocexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.execalled `Option::unwrap()` on a `None` valueC:\Users\Magnu\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionq+
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.execalled `Option::unwrap()` on a `None` valueC:\Users\Magnu\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus PipesN
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: setup.exe, setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ZharkBOT.exe, 00000023.00000003.1752091611.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e9574Retrieval: Bytes served9576Discovery: Weighted average discovery time9578SMB: Bytes from cache9580SMB: Bytes from server9582BITS: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes}
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarex
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorR
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: ZharkBOT.exe, 00000023.00000003.1760923673.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1761418251.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1752850595.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1756025079.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1756297161.0000000002817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1
Source: setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionty
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ZharkBOT.exe, 00000023.00000003.1754530285.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755563652.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755254416.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1754015437.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755213622.00000000027E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumula
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: newbuild.exe, 00000021.00000002.1833633665.0000000003305000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,1169649
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000013.00000002.3737039002.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788268061.0000000003638000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitionl\|"
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: ZharkBOT.exe, 00000023.00000003.1795914074.0000000002A11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware`
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: explorer.exe, 00000022.00000000.1690337457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorH
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: ZharkBOT.exe, 00000023.00000003.1761590219.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1753483411.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1760636118.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1754102657.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1750635652.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V kwcbewswwrbpkye Bus
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor_:
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service]#
Source: BitLockerToGo.exe, 0000001F.00000003.1666459560.00000000059CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: streamer.exe, 0000000E.00000002.1635498473.000001E9A1CEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1752632375.000000000591F000.00000004.00000020.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3747272466.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1832430992.000000000164C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801728831.000000000369C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801837427.0000000003878000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792258046.0000000003888000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ZharkBOT.exe, 00000023.00000003.1756999496.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757735413.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757542291.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757481376.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count SnapshotH
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: explorer.exe, 00000022.00000000.1690337457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceF
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service%!
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: ZharkBOT.exe, 00000023.00000003.1754102657.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1753543275.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost

Source: C:\Users\user\Desktop\setup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\dcbedta	System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\dcbedta	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_04F40C63 rdtsc

1_2_04F40C63

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB0B9BA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_6CB0B9BA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0005BEA9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0005BEA9

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D8643B mov eax, dword ptr fs:[00000030h]	11_2_00D8643B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D8A1A2 mov eax, dword ptr fs:[00000030h]	11_2_00D8A1A2
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB349D0 mov eax, dword ptr fs:[00000030h]	15_2_6CB349D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 17_2_009775D0 mov eax, dword ptr fs:[00000030h]	17_2_009775D0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006A1A2 mov eax, dword ptr fs:[00000030h]	18_2_0006A1A2
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006643B mov eax, dword ptr fs:[00000030h]	18_2_0006643B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB1172D GetProcessHeap,

15_2_6CB1172D

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0B4E1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6CB0B4E1
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0B9BA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6CB0B9BA
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0F957 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6CB0F957
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004D0ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0004D0ED
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_000669BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_000669BE
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DAB5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0004DAB5
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DC1A SetUnhandledExceptionFilter,	18_2_0004DC1A

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: dcbedta.34.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 176.29.154.25 80
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80
Source: C:\Windows\explorer.exe	Network Connect: 102.187.252.37 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB02F20 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,WriteProcessMemory,SetThreadContext,ResumeThread,

15_2_6CB02F20

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Thread created: C:\Windows\explorer.exe EIP: 86E19D0
Source: C:\Users\user\AppData\Roaming\dcbedta	Thread created: unknown EIP: F519D0

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: towerxxuytwi.xyzi
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: swellfrrgwwos.xyze
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: contintnetksows.shop
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: potterryisiw.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3106008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 961000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 97C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 984000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: B97000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 7A4008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F66008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: C:\ProgramData\34vgn892c.exe	Process created: unknown unknown

Source: explorer.exe, 00000022.00000000.1684732430.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000003.1891078527.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: setup.exe, setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: MProgram Manager
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D6D2E8 cpuid

11_2_00D6D2E8

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: GetLocaleInfoA,

17_2_00975A60

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000115001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000115001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000116001\FILE1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\1.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D6CAED GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

11_2_00D6CAED

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D56590 LookupAccountNameA,

11_2_00D56590

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00975900 GetTimeZoneInformation,

17_2_00975900

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_00037CE0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

18_2_00037CE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: ZharkBOT.exe, 00000023.00000003.1801837427.0000000003803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000017.00000002.1729603408.0000000001365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 40.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Freshbuild.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.Freshbuild.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.axplong.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.axplong.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.setup.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.1918746786.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3721434800.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1558483602.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1335718111.0000000000781000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.1949201156.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1340637010.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.1931585603.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1571924265.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1591289151.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.1990646891.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1580634291.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1295247202.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.1558636048.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.crypt6.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.newbuild.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.newlogs.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypt6.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newlogs.exe PID: 6184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZharkBOT.exe PID: 2908, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.Lk

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Searches for user specific document files

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC

Yara detected Credential Stealer

Source: Yara match	File source: 0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1653312909.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1710428950.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.crypt6.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.newbuild.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.newlogs.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypt6.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newlogs.exe PID: 6184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZharkBOT.exe PID: 2908, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0005EB58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,		18_2_0005EB58
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0005DE61 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		18_2_0005DE61

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.116	unknown	Russian Federation	50916	NADYMSS-ASRU	true
4.185.56.82	unknown	United States	3356	LEVEL3US	true
43.153.49.49	unknown	Japan	4249	LILLY-ASUS	false
65.21.175.0	unknown	United States	199592	CP-ASDE	true
176.29.154.25	unknown	Jordan	20773	GODADDYDE	true
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
20.189.173.20	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.192.141.1	unknown	United States	16509	AMAZON-02US	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
141.8.192.6	unknown	Russian Federation	35278	SPRINTHOSTRU	true
40.86.87.10	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
77.91.77.81	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	false
16.182.97.49	unknown	United States	unknown	unknown	false
102.187.252.37	unknown	Egypt	24835	RAYA-ASEG	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	true
85.28.47.7	unknown	Russian Federation	31643	GES-ASRU	false
62.171.132.76	unknown	United Kingdom	51167	CONTABODE	false

Private

IP
127.0.0.127

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cx5519.com/tmp/index.php	true	Avira URL Cloud: malware	unknown
http://evilos.cc/tmp/index.php	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setup.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://40.86.87.10/108e010e8f91c38c.php#	Avira URL Cloud: Label: malware
Source: http://65.21.175.0	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpX	Avira URL Cloud: Label: phishing
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php=	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php9	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php7	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpo	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpl	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpd	Avira URL Cloud: Label: phishing
Source: http://40.86.87.10/108e010e8f91c38c.php4	Avira URL Cloud: Label: malware
Source: http://40.86.87.10	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/lend/stealc_zov.exeu	Avira URL Cloud: Label: phishing
Source: http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.php~1	Avira URL Cloud: Label: phishing
Source: http://cx5519.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phps	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpg	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apim	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpL	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpM	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpD	Avira URL Cloud: Label: malware
Source: http://65.21.175.0/108e010e8f91c38c.	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apik	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpU	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpR	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apiX	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpO	Avira URL Cloud: Label: malware
Source: http://65.21.175.0/b13597c85f807692/sqlite3.dll$	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/api4	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1317026

Found malware configuration

Source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}
Source: 18.2.Freshbuild.exe.30000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.116/Mb3GvQs8/index.php", "Version": "4.30"}
Source: 21.2.crypt6.exe.950000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": "4.185.56.82:42687", "Bot Id": "LiveTraffoc", "Message": "Error, disable antivirus and try again!", "Authorization Header": "238eb848efbf8f0276be0a0ec24f81cd"}
Source: BitLockerToGo.exe.1504.31.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyzi", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyze", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop"], "Build id": "DWWXLF--24524534563"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\786A.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\d3d9.dll	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: setup.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 185.172.128.116
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: /Mb3GvQs8/index.php
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: S-%lu-
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: b66a8ae076
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Hkbsse.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Startup
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: rundll32
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Programs
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: %USERPROFILE%
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: http://
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: https://
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: /Plugins/
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: &unit=
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: shell32.dll
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: kernel32.dll
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ProgramData\
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: AVAST Software
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Kaspersky Lab
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Panda Security
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Doctor Web
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 360TotalSecurity
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Bitdefender
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Norton
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Sophos
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Comodo
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: WinDefender
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 0123456789
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ------
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ?scr=1
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ComputerName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: -unicode-
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: VideoID
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ProductName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: CurrentBuild
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: rundll32.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: "taskkill /f /im "
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: " && timeout 1 && del
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: && Exit"
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: " && ren
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Powershell.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: shutdown -s -t 0
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: random
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetProcAddress
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LoadLibraryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcatA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OpenEventA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateEventA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CloseHandle
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Sleep
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemInfo
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HeapAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetComputerNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcpyA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetProcessHeap
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetCurrentProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrlenA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ExitProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: advapi32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: gdi32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: user32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: crypt32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ntdll.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateDCA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDeviceCaps
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ReleaseDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sscanf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VMwareVMware
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HAL9TH
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: JohnDoe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DISPLAY
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: http://65.21.175.0
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /108e010e8f91c38c.php
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /b13597c85f807692/
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: jopa
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileAttributesA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalLock
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HeapFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: IsWow64Process
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process32Next
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLocalTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FreeLibrary
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetVolumeInformationA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process32First
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLocaleInfoA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetModuleFileNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DeleteFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindNextFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LocalFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindClose
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LocalAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileSizeEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ReadFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SetFilePointer
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: WriteFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindFirstFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CopyFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualProtect
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLastError
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcpynA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: MultiByteToWideChar
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: WideCharToMultiByte
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OpenProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: TerminateProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetCurrentProcessId
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: gdiplus.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ole32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: bcrypt.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wininet.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: shlwapi.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: shell32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: psapi.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: rstrtmgr.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SelectObject
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BitBlt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DeleteObject
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateCompatibleDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdiplusStartup
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdiplusShutdown
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipDisposeImage
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoUninitialize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoInitialize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoCreateInstance
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptDecrypt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptSetProperty
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptDestroyKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetWindowRect
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDesktopWindow
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CloseWindow
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wsprintfA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CharToOemW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wsprintfW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegQueryValueExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegEnumKeyExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegOpenKeyExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegCloseKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegEnumValueA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptUnprotectData
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SHGetFolderPathA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ShellExecuteExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetOpenUrlA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetConnectA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetCloseHandle
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetOpenA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HttpSendRequestA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HttpOpenRequestA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetReadFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetCrackUrlA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrCmpCA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrStrA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrCmpCW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PathMatchSpecA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmStartSession
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmRegisterResources
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmGetList
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmEndSession
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_open
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_step
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_text
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_finalize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_close
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_blob
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encrypted_key
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PATH
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: NSS_Init
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: NSS_Shutdown
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_FreeSlot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_Authenticate
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\ProgramData\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: browser:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: profile:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: url:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: login:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: password:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OperaGX
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Network
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: .txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: TRUE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FALSE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: autofill
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: history
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: name:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: month:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: year:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: card:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Login Data
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Web Data
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: History
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: logins.json
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: formSubmitURL
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: usernameField
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encryptedUsername
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encryptedPassword
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: guid
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: cookies.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: formhistory.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: places.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: plugins
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Local Extension Settings
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Sync Extension Settings
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: IndexedDB
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera Stable
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera GX Stable
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CURRENT
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: chrome-extension_
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Local State
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: profiles.ini
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: chrome
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: opera
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: firefox
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wallets
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ProductName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ProcessorNameString
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DisplayName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DisplayVersion
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Network Info:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - IP: IP?
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Country: ISO?
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: System Summary:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - HWID:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - OS:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Architecture:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - UserName:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Computer Name:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Local Time:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - UTC:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Language:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Keyboards:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Laptop:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Running Path:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - CPU:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Threads:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Cores:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - RAM:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Display Resolution:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - GPU:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: User Agents:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Installed Apps:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: All Users:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Current User:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process List:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: system_info.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: freebl3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: mozglue.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: msvcp140.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: nss3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: softokn3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: vcruntime140.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Temp\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: .exe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: runas
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: open
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /c start
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %DESKTOP%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %APPDATA%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %USERPROFILE%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %DOCUMENTS%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %RECENT%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.lnk
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: files
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \discord\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Telegram Desktop\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: key_datas
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: map*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Telegram
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.tox
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.ini
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Password
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000001
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000002
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000003
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000004
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Pidgin
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \.purple\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: accounts.xml
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: token:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Valve\Steam
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SteamPath
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \config\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ssfn*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: config.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DialogConfig.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: libraryfolders.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: loginusers.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Steam\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: browsers
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: done
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: soft
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: https
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: POST
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HTTP/1.1
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: hwid
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: build
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: token
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: file_name
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: file
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: message
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: screenshot.jpg

Uses 32bit PE files

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbK& source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb0~ source: newlogs.exe, 0000001C.00000002.3869165497.00000000055D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB10008 FindFirstFileExW,		15_2_6CB10008
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006DAAD FindFirstFileExW,		18_2_0006DAAD

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 176.29.154.25 80
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80
Source: C:\Windows\explorer.exe	Network Connect: 102.187.252.37 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://65.21.175.0/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyzi
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyze
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://65.21.175.0/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor	IPs: 185.172.128.116
Source: Malware configuration extractor	URLs: 4.185.56.82:42687

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: build.exe.11.dr
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: FILE1.exe.11.dr

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.172.128.116 185.172.128.116

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NADYMSS-ASRU NADYMSS-ASRU
Source: Joe Sandbox View	ASN Name: LEVEL3US LEVEL3US
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D5BD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

11_2_00D5BD30

Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116//
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-1003
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-10031
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-10035
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exe
Source: axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exe;
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exeG
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exef
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exes
Source: ZharkBOT.exe, 00000023.00000003.1801769575.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.00000000036CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php1=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpC
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpL
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpM=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcoded
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcoded-(Rcx
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcodedn(
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpd
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpded
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpn
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpo
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpq
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpu
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php~=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/a
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000006B8000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php27eb6a46da1cb8e815a609f758924517
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php4
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php7
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php9
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php:
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php=
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpD
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpL
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpM
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpO
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpR
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpS
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpU
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpg
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phplectrum
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phposition:
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phppera
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpppData
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phps
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dllt
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllR
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllT
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll:O
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllF
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllh
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll$
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllv
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll&O
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllHO
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllT
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/sqlite3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10d
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.d
Source: axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://43.153.49.49:8888/down/TpWWMUpe0LEV.exe
Source: ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.0000000002926000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/1
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.0000000002926000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.
Source: aspnet_regiis.exe, 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.php
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.php5
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpE
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpP
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpb
Source: aspnet_regiis.exe, 00000011.00000002.2979412810.000000000099A000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dll
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dll$
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllg
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllx
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175W
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000130001
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000131001
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000144001
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php32
Source: axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php7
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php70551e6e5747850f04add5fc4bc#
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php8
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpFA
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpM
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpN
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpX
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpZharkBOT.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpbA
Source: axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpd
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpemp
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpl
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phplA
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phplN
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpo
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php~1
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/f
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/crypt6.exe
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newbuild.exe
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newbuild.exeT
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newlogs.exe
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newlogs.exeD
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe7
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exeu
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/t%
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ZharkBOT.exe, 00000023.00000003.1789825008.00000000035AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros8i
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000022.00000000.1687380427.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688702793.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688737269.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Ent
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000034D9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003215000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000344B000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/hM
Source: explorer.exe, 00000022.00000000.1685006963.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3366911211.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://admin.atlassian.com
Source: explorer.exe, 00000022.00000000.1690337457.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.1890857549.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.bitbucket.org
Source: crypt6.exe, 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, RegAsm.exe, 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, newbuild.exe, 00000021.00000000.1648456279.0000000000E55000.00000002.00000001.01000000.00000015.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000022.00000000.1685006963.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001723000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1449527562.0000000001720000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/R
Source: axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/67e8095f-ddaa-
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/%7Bfb83dd9a-6600-46cd-b25f-7b5decba6275%7D/
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/account/sdgdf/avatar/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f49fa1a70b1ea6d80e22bac709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729cE
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f49fa1a70b1ea6d80e22bac709b9568a348ca9adec25b3fbf8b44263e4ab627c65d172:
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ferences.SourceAumid/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/gateway/api/emoji/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/m
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/onal
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/FILE1.exe
Source: axplong.exe, 0000000B.00000003.1507798051.000000000620C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe3456789
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe8
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1449527562.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe6789
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.status.atlassian.com/
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/
Source: axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/app.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/aui-8.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/locales/en.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/vendor.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/jsi18n/en/djangojs.js
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: streamer.exe, streamer.exe, 0000000E.00000002.1636684412.00007FF7E5C0B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/login
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/logout
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/manage-profile/
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: streamer.exe	String found in binary or memory: https://login.chinacloudapi.cn/mergeRuneSets
Source: streamer.exe	String found in binary or memory: https://login.microsoftonline.com/bad
Source: streamer.exe	String found in binary or memory: https://login.microsoftonline.us/too
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1691672162.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000364B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1693084005.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1692548488.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000364B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/
Source: BitLockerToGo.exe, 0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1642251556.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747224489.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789130872.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786737002.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747513352.00000000036ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653312909.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api
Source: BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api1m
Source: BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api4
Source: BitLockerToGo.exe, 0000001F.00000003.1747224489.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747513352.00000000036ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apiX
Source: BitLockerToGo.exe, 0000001F.00000003.1691672162.00000000036EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apia4
Source: BitLockerToGo.exe, 0000001F.00000002.1789130872.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786737002.00000000036F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apik
Source: BitLockerToGo.exe, 0000001F.00000003.1642251556.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653312909.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apim
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/c
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/h
Source: BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000365C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/l
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000365C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/l/
Source: BitLockerToGo.exe, 0000001F.00000003.1665322987.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/m
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://preferences.atlassian.com
Source: streamer.exe, streamer.exe, 0000000E.00000002.1636684412.00007FF7E5C0B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/
Source: axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/download/ZharkBOT.exe
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/
Source: Hkbsse.exe, 00000013.00000003.1609070300.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.000000000372B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.0000000003720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.000000000372B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.0000000003720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe(nmb%
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe4c6d8c1b3aeaJz
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exeqz
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000022.00000003.1891078527.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000022.00000000.1685006963.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

PE file contains section with special chars

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:

PE file has a writeable .text section

Source: stealc_zov[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_zov.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02630 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,		15_2_6CB02630
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004CA9A NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,		18_2_0004CA9A

Creates files inside the system directory

Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File created: C:\Windows\Tasks\Hkbsse.job			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D5E410	11_2_00D5E410
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D54CD0	11_2_00D54CD0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D93048	11_2_00D93048
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D87D63	11_2_00D87D63
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D54AD0	11_2_00D54AD0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D96EE9	11_2_00D96EE9
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D9763B	11_2_00D9763B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D92BB0	11_2_00D92BB0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D9775B	11_2_00D9775B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D98700	11_2_00D98700
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB012D0	15_2_6CB012D0
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02630	15_2_6CB02630
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02F20	15_2_6CB02F20
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB165B5	15_2_6CB165B5
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0A9D0	15_2_6CB0A9D0
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02D40	15_2_6CB02D40
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0003A909	18_2_0003A909
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00039910	18_2_00039910
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00073048	18_2_00073048
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_000560A2	18_2_000560A2
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00051512	18_2_00051512
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0007763B	18_2_0007763B
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00078700	18_2_00078700
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0007775B	18_2_0007775B
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00034AD0	18_2_00034AD0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00072BB0	18_2_00072BB0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00034CD0	18_2_00034CD0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00053D01	18_2_00053D01
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00050D23	18_2_00050D23
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00067D63	18_2_00067D63
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00076EE9	18_2_00076EE9

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 0004DE90 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 0004D852 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 00047F00 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: String function: 6CB0BB30 appears 33 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312

PE file contains more sections than normal

Source: streamer[1].exe.11.dr	Static PE information: Number of sections : 12 > 10
Source: streamer.exe.11.dr	Static PE information: Number of sections : 12 > 10

Uses 32bit PE files

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: whiteheroin[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: setup.exe	Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: setup.exe	Static PE information: Section: vbhkqplo ZLIB complexity 0.9950141504249707
Source: axplong.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: axplong.exe.1.dr	Static PE information: Section: vbhkqplo ZLIB complexity 0.9950141504249707

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@49/64@0/18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00976550 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

17_2_00976550

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1196
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user~1\AppData\Local\Temp\8254624243

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_zov.exe, 0000001E.00000003.3099165661.0000000021316000.00000004.00000020.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003606000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003699000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: setup.exe

ReversingLabs: Detection: 68%

Source: setup.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: streamer.exe	String found in binary or memory: lkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlin
Source: streamer.exe	String found in binary or memory: lkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlin
Source: streamer.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin
Source: streamer.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dcbedta C:\Users\user\AppData\Roaming\dcbedta
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\50EC.exe C:\Users\user~1\AppData\Local\Temp\50EC.exe
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\50EC.exe C:\Users\user~1\AppData\Local\Temp\50EC.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: C:\ProgramData\34vgn892c.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: perfos.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: pdh.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: perfos.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: amsi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wininet.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: userenv.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: profapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: version.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wldp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: netutils.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: schannel.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: propsys.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: edputil.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: slc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: sppc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: setup.exe

Static file information: File size 1949696 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: setup.exe

Static PE information: Raw size of vbhkqplo is bigger than: 0x100000 < 0x1aa800

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbK& source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb0~ source: newlogs.exe, 0000001C.00000002.3869165497.00000000055D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\setup.exe	Unpacked PE file: 1.2.setup.exe.780000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 11.2.axplong.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Unpacked PE file: 29.2.1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dcbedta	Unpacked PE file: 39.2.dcbedta.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 41.2.axplong.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;

Binary contains a suspicious time stamp

Source: newlogs[1].exe.11.dr

Static PE information: 0xB6B5349D [Sat Feb 19 08:13:17 2067 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0005BEA9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0005BEA9

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: newlogs[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x53c92
Source: crypt6[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x81a12
Source: crypt6.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x81a12
Source: newbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x59272
Source: stealc_zov[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x30e30
Source: stealc_zov.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x30e30
Source: axplong.exe.1.dr	Static PE information: real checksum: 0x1ea8f3 should be: 0x1e4112
Source: whiteheroin[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x1373ab
Source: setup.exe	Static PE information: real checksum: 0x1ea8f3 should be: 0x1e4112
Source: Freshbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x755f6
Source: Freshbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x755f6
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x1373ab
Source: ZharkBOT.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x132e9a
Source: ZharkBOT[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x132e9a
Source: newlogs.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x53c92
Source: newbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x59272

PE file contains sections with non-standard names

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: vbhkqplo
Source: setup.exe	Static PE information: section name: oxgxjklu
Source: setup.exe	Static PE information: section name: .taggant
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: vbhkqplo
Source: axplong.exe.1.dr	Static PE information: section name: oxgxjklu
Source: axplong.exe.1.dr	Static PE information: section name: .taggant
Source: whiteheroin[1].exe.11.dr	Static PE information: section name: ._LW
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: section name: ._LW
Source: streamer[1].exe.11.dr	Static PE information: section name: .xdata
Source: streamer.exe.11.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D6D82C push ecx; ret	11_2_00D6D83F
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB16CE4 push ecx; ret	15_2_6CB16CF7
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB362E5 push ecx; ret	15_2_6CB362F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 17_2_00978EE5 push ecx; ret	17_2_00978EF8
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00041314 push ecx; retn 0000h	18_2_00041315
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004064F push ss; iretd	18_2_00040650
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004D82C push ecx; ret	18_2_0004D83F
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DED6 push ecx; ret	18_2_0004DEE9

Source: setup.exe	Static PE information: section name: entropy: 7.985661636626442
Source: setup.exe	Static PE information: section name: vbhkqplo entropy: 7.954343379648948
Source: axplong.exe.1.dr	Static PE information: section name: entropy: 7.985661636626442
Source: axplong.exe.1.dr	Static PE information: section name: vbhkqplo entropy: 7.954343379648948
Source: whiteheroin[1].exe.11.dr	Static PE information: section name: .text entropy: 7.945036065819348
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: section name: .text entropy: 7.945036065819348

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	File created: C:\ProgramData\34vgn892c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	File created: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dcbedta	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\50EC.exe	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\786A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ZharkBOT[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	File created: C:\ProgramData\34vgn892c.exe	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dcbedta

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\ProgramData\34vgn892c.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2
Source: C:\ProgramData\34vgn892c.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\dcbedta:Zone.Identifier read attributes | delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

18_2_0004C66B

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\ProgramData\34vgn892c.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\34vgn892c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\34vgn892c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	API/Special instruction interceptor: Address: 7FFB2CECD584
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FA2432
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FB9E6B
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: 12F7E15
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: E0AA71
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: 1025B80
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FE8181
Source: C:\Users\user\AppData\Roaming\dcbedta	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Roaming\dcbedta	API/Special instruction interceptor: Address: 7FFB2CECD584

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0.EXEHOLLOWS_HUNTER32VGAUTHSERVICE.EXEPROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXECALLED `OPTION::UNWRAP()` ON A `NONE` VALUEC:\USERS\MAGNU\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS
Source: 1.exe, 0000001D.00000002.1731834087.0000000002E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXECALLED `OPTION::UNWRAP()` ON A `NONE` VALUEC:\USERS\MAGNU\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 7EF41B second address: 7EF425 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 96FE79 second address: 96FE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 970197 second address: 9701A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9701A1 second address: 9701A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97356B second address: 973585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Ch 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973585 second address: 97358B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97358B second address: 9735B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973600 second address: 97368A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC3513526F9h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 mov cx, 5190h 0x00000016 push B3BFDC6Ch 0x0000001b pushad 0x0000001c jmp 00007FC3513526F4h 0x00000021 push ecx 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pop ecx 0x00000025 popad 0x00000026 add dword ptr [esp], 4C402414h 0x0000002d and ecx, dword ptr [ebp+122D27D5h] 0x00000033 push 00000003h 0x00000035 jno 00007FC3513526ECh 0x0000003b push 00000000h 0x0000003d jmp 00007FC3513526ECh 0x00000042 push 00000003h 0x00000044 pushad 0x00000045 mov esi, dword ptr [ebp+122D2D31h] 0x0000004b popad 0x0000004c push 8E9412B7h 0x00000051 pushad 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97386E second address: 973873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973920 second address: 973925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973925 second address: 97398A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2EF1DE6Dh 0x00000010 mov ecx, 4B220AD7h 0x00000015 push 00000003h 0x00000017 mov dx, D290h 0x0000001b push 00000000h 0x0000001d push 00000003h 0x0000001f mov ch, dl 0x00000021 push C0D8C695h 0x00000026 jmp 00007FC35137F194h 0x0000002b xor dword ptr [esp], 00D8C695h 0x00000032 mov ecx, dword ptr [ebp+122D2B6Dh] 0x00000038 movzx esi, dx 0x0000003b lea ebx, dword ptr [ebp+12458475h] 0x00000041 and edi, 701767C8h 0x00000047 xchg eax, ebx 0x00000048 push ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FC35137F18Bh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97398A second address: 97398E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 984CB7 second address: 984CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99450C second address: 994516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994516 second address: 994524 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994524 second address: 99452A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962EF0 second address: 962F15 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC35137F18Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC35137F190h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962F15 second address: 962F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9924A6 second address: 9924AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9924AC second address: 9924BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9927E2 second address: 9927E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9927E6 second address: 99280A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FC3513526EEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992AC1 second address: 992ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC35137F186h 0x0000000a popad 0x0000000b jmp 00007FC35137F18Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992ADA second address: 992AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992AED second address: 992AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992DC4 second address: 992DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC3513526E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FC3513526E6h 0x00000012 js 00007FC3513526E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992DDC second address: 992E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007FC35137F186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FC35137F192h 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992F81 second address: 992F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962EFA second address: 962F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC35137F190h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993203 second address: 993209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993209 second address: 99320D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 95F856 second address: 95F85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993683 second address: 9936A1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC35137F199h 0x00000008 jng 00007FC35137F186h 0x0000000e jmp 00007FC35137F18Dh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994392 second address: 99439C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3513526F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99439C second address: 9943A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 998380 second address: 9983A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jg 00007FC3513526E6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9983A3 second address: 9983AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9983AB second address: 9983BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007FC3513526F8h 0x0000000c jo 00007FC3513526F2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99BC70 second address: 99BCAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC35137F190h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FC35137F18Ch 0x00000011 pushad 0x00000012 jmp 00007FC35137F196h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1032 second address: 9A1038 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1038 second address: 9A1056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FC35137F188h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC35137F18Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1056 second address: 9A1064 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3513526E8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0484 second address: 9A048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A048C second address: 9A0490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0490 second address: 9A0494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A075F second address: 9A076A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A076A second address: 9A0773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0773 second address: 9A07AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 jmp 00007FC3513526F9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 js 00007FC3513526E6h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A07AD second address: 9A07B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0E9B second address: 9A0EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41C8 second address: 9A41CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41CE second address: 9A41E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41E3 second address: 9A41E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41E7 second address: 9A41F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4811 second address: 9A4815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4815 second address: 9A4819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4907 second address: 9A490B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4E26 second address: 9A4E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EBD second address: 9A4EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EC2 second address: 9A4EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EC8 second address: 9A4ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4ECC second address: 9A4EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jg 00007FC3513526E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A615C second address: 9A6162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A73C7 second address: 9A73E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC3513526F9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A6C25 second address: 9A6C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7FF5 second address: 9A8008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A9E2C second address: 9A9E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A9E31 second address: 9A9E70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC3513526F4h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D2323h] 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2C5Dh] 0x0000001c push 00000000h 0x0000001e movzx esi, di 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jno 00007FC3513526ECh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 955774 second address: 955780 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC35137F186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 955780 second address: 9557A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FC3513526E6h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FC351352700h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC3513526EAh 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADAE6 second address: 9ADAEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADAEC second address: 9ADB0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC3513526F4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADB0D second address: 9ADB11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADB11 second address: 9ADB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AEAD5 second address: 9AEB72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FC35137F19Ah 0x0000000f jmp 00007FC35137F194h 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FC35137F188h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D289Ah], edx 0x00000038 push 00000000h 0x0000003a mov edi, ecx 0x0000003c push 00000000h 0x0000003e jbe 00007FC35137F196h 0x00000044 jmp 00007FC35137F190h 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edi 0x0000004c pushad 0x0000004d popad 0x0000004e pop edi 0x0000004f pop eax 0x00000050 push eax 0x00000051 push edi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC35137F199h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFA53 second address: 9AFACE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FC3513526E8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 clc 0x00000026 push eax 0x00000027 jmp 00007FC3513526F0h 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FC3513526E8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 add edi, dword ptr [ebp+122D2D71h] 0x0000004f push 00000000h 0x00000051 mov ebx, edi 0x00000053 add dword ptr [ebp+122D27D0h], edi 0x00000059 xchg eax, esi 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d jnc 00007FC3513526E6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFACE second address: 9AFAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB178 second address: 9AB17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFAD2 second address: 9AFB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FC35137F186h 0x0000000d jmp 00007FC35137F198h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADC85 second address: 9ADC93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB17F second address: 9AB199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FC35137F186h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFB00 second address: 9AFB15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB199 second address: 9AB19F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADD34 second address: 9ADD65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3513526F3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADD65 second address: 9ADD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FC35137F188h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B1DE0 second address: 9B1E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F7h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jne 00007FC3513526E6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2394 second address: 9B2415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor di, 230Bh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FC35137F188h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jl 00007FC35137F186h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FC35137F188h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f or ebx, dword ptr [ebp+122D2AD5h] 0x00000055 push edx 0x00000056 mov ebx, dword ptr [ebp+122D39E4h] 0x0000005c pop ebx 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jmp 00007FC35137F18Dh 0x00000066 pushad 0x00000067 popad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2415 second address: 9B2451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EFh 0x00000008 jmp 00007FC3513526ECh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3513526F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2451 second address: 9B246B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B4345 second address: 9B434A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B43E5 second address: 9B43E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B534B second address: 9B5350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B4515 second address: 9B458E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, 772D068Bh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov bx, si 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 jnc 00007FC35137F18Dh 0x0000002a mov eax, dword ptr [ebp+122D0539h] 0x00000030 mov ebx, 712494A3h 0x00000035 push FFFFFFFFh 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007FC35137F188h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 movsx edi, cx 0x00000054 mov bx, 578Fh 0x00000058 nop 0x00000059 push eax 0x0000005a jng 00007FC35137F188h 0x00000060 pushad 0x00000061 popad 0x00000062 pop eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 jnp 00007FC35137F186h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B633D second address: 9B63A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FC3513526EEh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FC3513526E8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a add dword ptr [ebp+122D18D8h], edi 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1BB7h], edi 0x00000038 push 00000000h 0x0000003a or edi, 5246F0E6h 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 jns 00007FC3513526F5h 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B63A4 second address: 9B63A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B552C second address: 9B553F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007FC3513526E6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B553F second address: 9B5543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5543 second address: 9B5549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5549 second address: 9B554F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B554F second address: 9B5553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5553 second address: 9B5617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c cmc 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FC35137F188h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e call 00007FC35137F191h 0x00000033 mov edi, dword ptr [ebp+122D2C49h] 0x00000039 pop ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 jno 00007FC35137F191h 0x00000047 mov eax, dword ptr [ebp+122D0B69h] 0x0000004d sub dword ptr [ebp+1247C85Bh], ecx 0x00000053 push edi 0x00000054 mov bx, di 0x00000057 pop edi 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ecx 0x0000005d call 00007FC35137F188h 0x00000062 pop ecx 0x00000063 mov dword ptr [esp+04h], ecx 0x00000067 add dword ptr [esp+04h], 00000017h 0x0000006f inc ecx 0x00000070 push ecx 0x00000071 ret 0x00000072 pop ecx 0x00000073 ret 0x00000074 movsx ebx, ax 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push esi 0x0000007b jmp 00007FC35137F193h 0x00000080 pop esi 0x00000081 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B84F3 second address: 9B84F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BA581 second address: 9BA585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7639 second address: 9B7643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7643 second address: 9B7647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7647 second address: 9B7659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FC3513526E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BB3D9 second address: 9BB3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007FC35137F18Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B97A9 second address: 9B97B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC4AF second address: 9BC4B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC4B6 second address: 9BC503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 60131316h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FC3513526E8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push ecx 0x0000002a mov di, cx 0x0000002d pop ebx 0x0000002e add edi, 41BE1FE6h 0x00000034 push 00000000h 0x00000036 mov edi, 68E4EC34h 0x0000003b xchg eax, esi 0x0000003c jmp 00007FC3513526EAh 0x00000041 push eax 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC503 second address: 9BC509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2F2 second address: 9BE2F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2F7 second address: 9BE2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2FD second address: 9BE319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC3513526F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD4F8 second address: 9BD512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F196h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD512 second address: 9BD5BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, 1F95h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov edi, esi 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov dword ptr [ebp+122D28E8h], ecx 0x00000028 mov eax, dword ptr [ebp+122D1621h] 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FC3513526E8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 push FFFFFFFFh 0x0000004a mov di, 5000h 0x0000004e nop 0x0000004f pushad 0x00000050 pushad 0x00000051 jmp 00007FC3513526F7h 0x00000056 push esi 0x00000057 pop esi 0x00000058 popad 0x00000059 jmp 00007FC3513526F3h 0x0000005e popad 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push ebx 0x00000063 jmp 00007FC3513526F2h 0x00000068 pop ebx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 967EE6 second address: 967EF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C62D2 second address: 9C62D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C62D7 second address: 9C62DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C6548 second address: 9C654E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD6E4 second address: 9CD6FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD80E second address: 9CD812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD812 second address: 9CD845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007FC35137F192h 0x00000010 jnc 00007FC35137F18Ch 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC35137F193h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD845 second address: 9CD854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD965 second address: 9CD973 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD973 second address: 9CD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD977 second address: 9CD999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F192h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jnl 00007FC35137F186h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD999 second address: 9CD9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526F7h 0x00000008 jmp 00007FC3513526F1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 je 00007FC3513526E8h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push edi 0x0000001e jmp 00007FC3513526F1h 0x00000023 pop edi 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007FC3513526EEh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD9FD second address: 9CDA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDA02 second address: 9CDA14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D61D9 second address: 9D61DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D4EED second address: 9D4EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54BF second address: 9D54C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54C5 second address: 9D54D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC3513526ECh 0x0000000c jng 00007FC3513526E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54D7 second address: 9D54DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54DD second address: 9D54E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5641 second address: 9D564D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC35137F186h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D590D second address: 9D5911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5911 second address: 9D5917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5917 second address: 9D591D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A6D second address: 9D5A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A71 second address: 9D5A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A75 second address: 9D5A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A81 second address: 9D5A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A85 second address: 9D5A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D42 second address: 9D5D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D46 second address: 9D5D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D4C second address: 9D5D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3513526ECh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D61 second address: 9D5D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F197h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jnc 00007FC35137F186h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D8A second address: 9D5D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D6064 second address: 9D608E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FC35137F186h 0x00000009 jmp 00007FC35137F192h 0x0000000e pop edi 0x0000000f jne 00007FC35137F192h 0x00000015 jnp 00007FC35137F186h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DF48D second address: 9DF49F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDED4 second address: 9DDED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE024 second address: 9DE02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE186 second address: 9DE18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE733 second address: 9DE739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE8B0 second address: 9DE8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC35137F186h 0x0000000a jl 00007FC35137F186h 0x00000010 popad 0x00000011 jmp 00007FC35137F191h 0x00000016 jnp 00007FC35137F188h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007FC35137F192h 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEBCF second address: 9DEBE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEDC4 second address: 9DEDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEEFA second address: 9DEF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF00 second address: 9DEF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF0A second address: 9DEF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF12 second address: 9DEF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF18 second address: 9DEF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FC3513526ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987CDB second address: 987D0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC35137F199h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D0C second address: 987D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D12 second address: 987D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D16 second address: 987D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D23 second address: 987D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jbe 00007FC35137F188h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 js 00007FC35137F186h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDB8D second address: 9DDB92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDB92 second address: 9DDBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC35137F186h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDBA2 second address: 9DDBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDBB0 second address: 9DDBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F20 second address: 9E5F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F26 second address: 9E5F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F2A second address: 9E5F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4D25 second address: 9E4D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC35137F190h 0x0000000b popad 0x0000000c jo 00007FC35137F192h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4D44 second address: 9E4D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4E94 second address: 9E4E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4E9E second address: 9E4EAE instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4EAE second address: 9E4EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4EB2 second address: 9E4EB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4FE7 second address: 9E4FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4FED second address: 9E4FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E571A second address: 9E572D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5863 second address: 9E586B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B34 second address: 9A2B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B38 second address: 9A2B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B3C second address: 9A2B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B42 second address: 9A2B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B48 second address: 9A2B5E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jc 00007FC35137F18Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A315F second address: 9A31B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FC3513526F4h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ebx 0x00000015 jmp 00007FC3513526F8h 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31B3 second address: 9A31D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FC35137F195h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31D8 second address: 9A31DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31DF second address: 9A3254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FC35137F188h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov edi, 60D96B26h 0x00000027 call 00007FC35137F199h 0x0000002c add dword ptr [ebp+122D17D4h], eax 0x00000032 pop ecx 0x00000033 push CA6D4DAAh 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007FC35137F18Dh 0x00000040 jmp 00007FC35137F18Fh 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33D2 second address: 9A33D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33D6 second address: 9A33EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F192h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33EC second address: 9A3419 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jg 00007FC3513526F9h 0x00000010 pop ecx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A35F4 second address: 9A366A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC35137F188h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 stc 0x00000026 push 00000004h 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007FC35137F188h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 mov ecx, dword ptr [ebp+122D1BE6h] 0x00000048 sub cx, 430Ch 0x0000004d nop 0x0000004e jmp 00007FC35137F196h 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A366A second address: 9A366E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A366E second address: 9A3681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3681 second address: 9A3685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39ED second address: 9A39F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39F3 second address: 9A39F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39F9 second address: 9A39FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9E88 second address: 9E9E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9E8C second address: 9E9EE5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FC35137F188h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 pushad 0x00000016 jmp 00007FC35137F195h 0x0000001b jmp 00007FC35137F193h 0x00000020 jmp 00007FC35137F198h 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9EE5 second address: 9E9EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA1E6 second address: 9EA1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA34E second address: 9EA357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA357 second address: 9EA35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EFB45 second address: 9EFB67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC3513526F6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EFB67 second address: 9EFB6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9612AD second address: 9612B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9612B6 second address: 9612BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2CE7 second address: 9F2D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EBh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b je 00007FC3513526F2h 0x00000011 jne 00007FC3513526E6h 0x00000017 jo 00007FC3513526E6h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007FC3513526E8h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2D16 second address: 9F2D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Ch 0x00000009 jmp 00007FC35137F18Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2893 second address: 9F28A7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC3513526E6h 0x00000008 jmp 00007FC3513526EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F28A7 second address: 9F28B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FC35137F186h 0x00000009 pop esi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F8CF9 second address: 9F8D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F92E6 second address: 9F92EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE125 second address: 9FE157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FC3513526F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE157 second address: 9FE17B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC35137F199h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE17B second address: 9FE181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD64C second address: 9FD652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD652 second address: 9FD656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD656 second address: 9FD65A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD65A second address: 9FD667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD667 second address: 9FD670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD670 second address: 9FD674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD674 second address: 9FD678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FDC0F second address: 9FDC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FDC13 second address: 9FDC27 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC35137F18Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EB4 second address: A03EBA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EBA second address: A03EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EC4 second address: A03EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A02A2F second address: A02A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A02E6E second address: A02E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3896 second address: 9A38B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F196h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0329F second address: A032A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03BDD second address: A03BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03BE1 second address: A03BEA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A09EFA second address: A09F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A09F00 second address: A09F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A209 second address: A0A223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC35137F18Dh 0x0000000a jnc 00007FC35137F186h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A4DD second address: A0A4E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A765 second address: A0A76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0AA61 second address: A0AA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3513526F2h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0ACE6 second address: A0ACED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0ACED second address: A0ACF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC3513526E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 958C38 second address: 958C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F193h 0x00000009 jo 00007FC35137F186h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FC35137F186h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 958C60 second address: 958C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F767 second address: A0F76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F76D second address: A0F771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F771 second address: A0F777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F8E9 second address: A0F905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526ECh 0x00000007 jns 00007FC3513526F2h 0x0000000d jg 00007FC3513526E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FB8D second address: A0FB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FB92 second address: A0FB9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FE27 second address: A0FE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FE2D second address: A0FE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10132 second address: A1013C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1013C second address: A10147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10147 second address: A10154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC35137F186h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10154 second address: A1015C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1015C second address: A10160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D167 second address: A1D16D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D16D second address: A1D179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC35137F186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D179 second address: A1D17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1BAFD second address: A1BB15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC35137F18Eh 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1BB15 second address: A1BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007FC3513526ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1AF58 second address: A1AF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC35137F198h 0x0000000f jc 00007FC35137F186h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260D9 second address: A260F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260F4 second address: A260F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260F8 second address: A260FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25AC9 second address: A25ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC35137F186h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25ADA second address: A25B0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007FC3513526E8h 0x00000010 push ecx 0x00000011 jbe 00007FC3513526E6h 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007FC3513526E6h 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25B0D second address: A25B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25C30 second address: A25C54 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FC3513526EAh 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC3513526EDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25E39 second address: A25E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25E3F second address: A25E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4A9 second address: A3D4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4B3 second address: A3D4B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4B7 second address: A3D4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4C1 second address: A3D517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F2h 0x00000007 jmp 00007FC3513526F5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007FC3513526E8h 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007FC3513526ECh 0x0000001c popad 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 jmp 00007FC3513526F1h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D672 second address: A3D6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007FC35137F186h 0x0000000c popad 0x0000000d jne 00007FC35137F192h 0x00000013 jmp 00007FC35137F18Ch 0x00000018 pushad 0x00000019 jmp 00007FC35137F18Fh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D6A3 second address: A3D6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D6A9 second address: A3D6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jg 00007FC35137F186h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A424FE second address: A42504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A42504 second address: A4250A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4250A second address: A42510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A42510 second address: A4251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4251A second address: A4251E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4251E second address: A42524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B27 second address: A43B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B2D second address: A43B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B33 second address: A43B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5560A second address: A55610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5534B second address: A55354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A55354 second address: A5535E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A58F2E second address: A58F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F8h 0x00000009 jno 00007FC3513526E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A58C3A second address: A58C5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FC35137F1AFh 0x0000000d jmp 00007FC35137F190h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B73 second address: A67B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B77 second address: A67B9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FC35137F18Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007FC35137F18Fh 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B9D second address: A67BB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67BB0 second address: A67BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67A07 second address: A67A0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6D9 second address: A6B6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007FC35137F186h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6E6 second address: A6B6EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6EC second address: A6B6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6D047 second address: A6D04E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6D04E second address: A6D05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6CF06 second address: A6CF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6CF0A second address: A6CF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A65779 second address: A6577F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6577F second address: A6579D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC35137F186h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FC35137F18Bh 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6579D second address: A657A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A657A2 second address: A657AC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC35137F192h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A657AC second address: A657B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A7A171 second address: A7A177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A7A177 second address: A7A17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A962B8 second address: A962BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96594 second address: A965A4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC3513526E6h 0x00000008 jnl 00007FC3513526E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965A4 second address: A965B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965B6 second address: A965EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3513526EFh 0x00000009 push edi 0x0000000a pop edi 0x0000000b jne 00007FC3513526E6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FC3513526F2h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965EC second address: A965F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965F2 second address: A965F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965F6 second address: A965FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965FA second address: A96600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96600 second address: A96606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96606 second address: A96610 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3513526ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A0B second address: A96A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A11 second address: A96A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A16 second address: A96A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A1C second address: A96A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96D04 second address: A96D1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F195h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96D1E second address: A96D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1A6 second address: A9A1E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push esi 0x0000000c jmp 00007FC35137F190h 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FC35137F18Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1E7 second address: A9A1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1ED second address: A9A1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9CF4A second address: A9CF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F080 second address: A9F08A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F08A second address: A9F0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526EAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F0A2 second address: A9F0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F191h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0013C second address: 4F00142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00142 second address: 4F00146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00146 second address: 4F0014A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0014A second address: 4F001A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC35137F18Fh 0x00000010 adc al, FFFFFFAEh 0x00000013 jmp 00007FC35137F199h 0x00000018 popfd 0x00000019 mov esi, 15016337h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC35137F199h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F001A4 second address: 4F001E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 pushfd 0x00000006 jmp 00007FC3513526F8h 0x0000000b adc al, FFFFFFB8h 0x0000000e jmp 00007FC3513526EBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FC3513526EBh 0x00000020 mov dx, ax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0E88 second address: 4EE0EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC35137F18Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EA3 second address: 4EE0EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EA7 second address: 4EE0EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EAD second address: 4EE0EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EBE second address: 4EE0EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EC2 second address: 4EE0EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f mov ebx, eax 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC3513526EDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3000E second address: 4F3003A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d mov di, ax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov esi, 7BD47A9Dh 0x0000001a mov eax, 4E032399h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3003A second address: 4F30050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F30050 second address: 4F30054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F30054 second address: 4F3009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FC3513526F7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx edx, ax 0x00000016 pushfd 0x00000017 jmp 00007FC3513526ECh 0x0000001c and ecx, 105714B8h 0x00000022 jmp 00007FC3513526EBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00EC second address: 4EC00F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00F0 second address: 4EC00F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00F6 second address: 4EC00FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00FC second address: 4EC0100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0100 second address: 4EC0114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edi, si 0x00000011 mov al, BFh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0114 second address: 4EC011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC011A second address: 4EC011E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC011E second address: 4EC0136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007FC3513526EAh 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0136 second address: 4EC015C instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ax, 3463h 0x0000000b popad 0x0000000c push dword ptr [ebp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC35137F195h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC015C second address: 4EC017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC017A second address: 4EC017E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC017E second address: 4EC0182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0182 second address: 4EC0188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC020A second address: 4EC0219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0B85 second address: 4EE0BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC35137F194h 0x0000000a jmp 00007FC35137F195h 0x0000000f popfd 0x00000010 popad 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov si, bx 0x00000019 pushfd 0x0000001a jmp 00007FC35137F18Bh 0x0000001f sbb eax, 0F0A105Eh 0x00000025 jmp 00007FC35137F199h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0730 second address: 4EE0734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0734 second address: 4EE073A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE073A second address: 4EE07AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526F8h 0x00000008 pushfd 0x00000009 jmp 00007FC3513526F2h 0x0000000e add ah, 00000078h 0x00000011 jmp 00007FC3513526EBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov bl, 2Dh 0x0000001e pushfd 0x0000001f jmp 00007FC3513526F0h 0x00000024 jmp 00007FC3513526F5h 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07AD second address: 4EE07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07B1 second address: 4EE07B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07B7 second address: 4EE07BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07BD second address: 4EE07C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07C1 second address: 4EE0808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FC35137F190h 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007FC35137F18Ch 0x0000001c or eax, 3CCA55C8h 0x00000022 jmp 00007FC35137F18Bh 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0647 second address: 4EE065B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE065B second address: 4EE065F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE065F second address: 4EE0685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FC3513526ECh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3513526EAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0685 second address: 4EE0689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0689 second address: 4EE068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE068F second address: 4EE0695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0695 second address: 4EE06BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FC3513526F4h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE06BA second address: 4EE06BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE06BE second address: 4EE06C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0412 second address: 4EE0458 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 62F2356Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FC35137F190h 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FC35137F190h 0x00000016 mov ebp, esp 0x00000018 jmp 00007FC35137F190h 0x0000001d pop ebp 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov ax, 72D3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EF01ED second address: 4EF01F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EF01F1 second address: 4EF020E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F004FC second address: 4F00585 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 30DC8F50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC3513526F9h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FC3513526EBh 0x0000001d and si, 6C5Eh 0x00000022 jmp 00007FC3513526F9h 0x00000027 popfd 0x00000028 jmp 00007FC3513526F0h 0x0000002d popad 0x0000002e mov eax, dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov eax, ebx 0x00000036 jmp 00007FC3513526F9h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00585 second address: 4F0058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0058B second address: 4F005B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e pushad 0x0000000f mov al, 00h 0x00000011 popad 0x00000012 and dword ptr [eax+04h], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005B5 second address: 4F005B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005B9 second address: 4F005CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005CD second address: 4F005DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005DF second address: 4F005F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3513526EAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005F4 second address: 4F005FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005FA second address: 4F005FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0600 second address: 4EE0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0606 second address: 4EE060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0000D second address: 4F00013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00013 second address: 4F00017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00312 second address: 4F00365 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC35137F192h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC35137F193h 0x00000015 xor si, CBDEh 0x0000001a jmp 00007FC35137F199h 0x0000001f popfd 0x00000020 mov di, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00365 second address: 4F00397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FC3513526EEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3513526EAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00397 second address: 4F0039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0039B second address: 4F003A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F003A1 second address: 4F003B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205C3 second address: 4F205C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205C8 second address: 4F205CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205CE second address: 4F205D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205D2 second address: 4F205D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205D6 second address: 4F205E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205E7 second address: 4F205EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205EB second address: 4F205F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205F1 second address: 4F206AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 pushfd 0x00000007 jmp 00007FC35137F195h 0x0000000c sub ecx, 1B426C96h 0x00000012 jmp 00007FC35137F191h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e jmp 00007FC35137F193h 0x00000023 popad 0x00000024 xchg eax, ecx 0x00000025 pushad 0x00000026 mov edi, eax 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007FC35137F18Dh 0x0000002f xchg eax, ecx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FC35137F18Ch 0x00000037 adc esi, 11321648h 0x0000003d jmp 00007FC35137F18Bh 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007FC35137F198h 0x00000049 adc al, FFFFFFA8h 0x0000004c jmp 00007FC35137F18Bh 0x00000051 popfd 0x00000052 popad 0x00000053 mov eax, dword ptr [778165FCh] 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov edx, 7E919216h 0x00000060 mov esi, edx 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206AC second address: 4F206B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206B2 second address: 4F206B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206B6 second address: 4F206FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007FC3513526EEh 0x0000000f je 00007FC3C3BC597Eh 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FC3513526EEh 0x0000001c add ax, ED68h 0x00000021 jmp 00007FC3513526EBh 0x00000026 popfd 0x00000027 mov ch, 37h 0x00000029 popad 0x0000002a mov ecx, eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push edi 0x00000030 pop eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206FF second address: 4F20748 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edi, 4F5611BAh 0x0000000c popad 0x0000000d xor eax, dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FC35137F193h 0x00000019 adc cx, 860Eh 0x0000001e jmp 00007FC35137F199h 0x00000023 popfd 0x00000024 push eax 0x00000025 pop edi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20748 second address: 4F2077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FC3513526EEh 0x00000011 ror eax, cl 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3513526EAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2077A second address: 4F2077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2077E second address: 4F20784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20784 second address: 4F2078A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2078A second address: 4F2078E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2078E second address: 4F207C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 jmp 00007FC35137F194h 0x0000000e retn 0004h 0x00000011 nop 0x00000012 mov esi, eax 0x00000014 lea eax, dword ptr [ebp-08h] 0x00000017 xor esi, dword ptr [007E2014h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push eax 0x00000020 lea eax, dword ptr [ebp-10h] 0x00000023 push eax 0x00000024 call 00007FC355AFF964h 0x00000029 push FFFFFFFEh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC35137F197h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F207C9 second address: 4F20862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC3513526ECh 0x00000011 sbb si, 9E08h 0x00000016 jmp 00007FC3513526EBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FC3513526F8h 0x00000022 adc cl, 00000068h 0x00000025 jmp 00007FC3513526EBh 0x0000002a popfd 0x0000002b popad 0x0000002c ret 0x0000002d nop 0x0000002e push eax 0x0000002f call 00007FC355AD2F3Fh 0x00000034 mov edi, edi 0x00000036 jmp 00007FC3513526F6h 0x0000003b xchg eax, ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FC3513526F7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20862 second address: 4F2086A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2086A second address: 4F2091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FC3513526EDh 0x0000000f jmp 00007FC3513526EBh 0x00000014 popfd 0x00000015 mov ah, 99h 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a call 00007FC3513526F1h 0x0000001f call 00007FC3513526F0h 0x00000024 pop ecx 0x00000025 pop edi 0x00000026 pushfd 0x00000027 jmp 00007FC3513526F0h 0x0000002c jmp 00007FC3513526F5h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 jmp 00007FC3513526EEh 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov ecx, ebx 0x00000040 pushfd 0x00000041 jmp 00007FC3513526F9h 0x00000046 jmp 00007FC3513526EBh 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED001F second address: 4ED0025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0025 second address: 4ED0058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC3513526F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0058 second address: 4ED0075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0075 second address: 4ED0079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0079 second address: 4ED007F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED007F second address: 4ED0094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6017h 0x00000007 mov al, E6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and esp, FFFFFFF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0094 second address: 4ED00A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED00A4 second address: 4ED00E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FC3513526F2h 0x00000013 jmp 00007FC3513526F5h 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED00E0 second address: 4ED0137 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC35137F190h 0x00000008 xor cl, 00000078h 0x0000000b jmp 00007FC35137F18Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FC35137F198h 0x00000019 add eax, 11007BD8h 0x0000001f jmp 00007FC35137F18Bh 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0137 second address: 4ED013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED013B second address: 4ED0141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0141 second address: 4ED0154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 62B7CE9Eh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, ax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0154 second address: 4ED015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED015A second address: 4ED015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED015E second address: 4ED0178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC35137F18Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0178 second address: 4ED019C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED019C second address: 4ED01AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED01AB second address: 4ED01E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov ecx, 3FB294FFh 0x00000012 popad 0x00000013 mov ebx, dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC3513526F1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED01E8 second address: 4ED023A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FC35137F18Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FC35137F191h 0x00000016 call 00007FC35137F190h 0x0000001b mov ch, 36h 0x0000001d pop edx 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED023A second address: 4ED0240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0240 second address: 4ED028E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B533h 0x00000007 pushfd 0x00000008 jmp 00007FC35137F198h 0x0000000d adc ax, D938h 0x00000012 jmp 00007FC35137F18Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f mov esi, 67C1478Bh 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007FC35137F18Eh 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED028E second address: 4ED02DC instructions: 0x00000000 rdtsc 0x00000002 mov bh, CFh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007FC3513526EAh 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FC3513526F7h 0x00000017 add ecx, 5F25F10Eh 0x0000001d jmp 00007FC3513526F9h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED02DC second address: 4ED035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, F2h 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007FC35137F196h 0x0000000d test esi, esi 0x0000000f jmp 00007FC35137F190h 0x00000014 je 00007FC3C3C3D48Fh 0x0000001a jmp 00007FC35137F190h 0x0000001f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000026 pushad 0x00000027 mov eax, 795F45ADh 0x0000002c call 00007FC35137F18Ah 0x00000031 mov dh, cl 0x00000033 pop ebx 0x00000034 popad 0x00000035 je 00007FC3C3C3D474h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FC35137F199h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED035E second address: 4ED0385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526EDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0385 second address: 4ED03D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FC35137F18Eh 0x00000011 test edx, 61000000h 0x00000017 pushad 0x00000018 mov eax, 007936BDh 0x0000001d mov eax, 7F0781B9h 0x00000022 popad 0x00000023 jne 00007FC3C3C3D451h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC35137F18Bh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED03D0 second address: 4ED03F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EFh 0x00000008 mov ah, 2Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test byte ptr [esi+48h], 00000001h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED03F1 second address: 4ED040D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F198h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED040D second address: 4ED042F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526ECh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FC3C3C10968h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, 72A0h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED042F second address: 4ED044F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 call 00007FC35137F18Eh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test bl, 00000007h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED044F second address: 4ED0453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0453 second address: 4ED0457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0457 second address: 4ED045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0778 second address: 4EC077D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC077D second address: 4EC0783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0783 second address: 4EC07E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FC35137F18Ch 0x0000000f or ch, 00000008h 0x00000012 jmp 00007FC35137F18Bh 0x00000017 popfd 0x00000018 mov si, 827Fh 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FC35137F190h 0x00000027 add cx, 0E68h 0x0000002c jmp 00007FC35137F18Bh 0x00000031 popfd 0x00000032 mov eax, 6AF42C5Fh 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC07E1 second address: 4EC07E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC07E7 second address: 4EC0823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC35137F18Bh 0x00000009 adc ax, 325Eh 0x0000000e jmp 00007FC35137F199h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and esp, FFFFFFF8h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edx 0x0000001e pop eax 0x0000001f push edx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0823 second address: 4EC0907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 39EDh 0x00000007 mov edi, eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d pushad 0x0000000e mov ax, 4B21h 0x00000012 pushfd 0x00000013 jmp 00007FC3513526EEh 0x00000018 xor eax, 70BD70B8h 0x0000001e jmp 00007FC3513526EBh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007FC3513526F9h 0x0000002b xchg eax, ebx 0x0000002c jmp 00007FC3513526EEh 0x00000031 xchg eax, esi 0x00000032 jmp 00007FC3513526F0h 0x00000037 push eax 0x00000038 pushad 0x00000039 call 00007FC3513526F1h 0x0000003e pushfd 0x0000003f jmp 00007FC3513526F0h 0x00000044 add ch, FFFFFFD8h 0x00000047 jmp 00007FC3513526EBh 0x0000004c popfd 0x0000004d pop eax 0x0000004e mov ebx, 44F86D1Ch 0x00000053 popad 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 pushfd 0x00000059 jmp 00007FC3513526F7h 0x0000005e xor esi, 485E6F4Eh 0x00000064 jmp 00007FC3513526F9h 0x00000069 popfd 0x0000006a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0907 second address: 4EC094C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bh, ah 0x00000008 popad 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov dx, E5BAh 0x00000011 pushfd 0x00000012 jmp 00007FC35137F18Bh 0x00000017 or ax, 9D5Eh 0x0000001c jmp 00007FC35137F199h 0x00000021 popfd 0x00000022 popad 0x00000023 sub ebx, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC094C second address: 4EC0950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0950 second address: 4EC0954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0954 second address: 4EC095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC095A second address: 4EC095F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC095F second address: 4EC09F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC3513526F7h 0x0000000a add cl, 0000001Eh 0x0000000d jmp 00007FC3513526F9h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC3513526F3h 0x00000021 sub eax, 11F2822Eh 0x00000027 jmp 00007FC3513526F9h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FC3513526F0h 0x00000033 adc ch, FFFFFFA8h 0x00000036 jmp 00007FC3513526EBh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC09F5 second address: 4EC0A7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC3C3C44B02h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC35137F18Ch 0x00000016 adc cx, 8D38h 0x0000001b jmp 00007FC35137F18Bh 0x00000020 popfd 0x00000021 popad 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FC35137F18Eh 0x00000032 xor eax, 7D880798h 0x00000038 jmp 00007FC35137F18Bh 0x0000003d popfd 0x0000003e call 00007FC35137F198h 0x00000043 pop esi 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A7D second address: 4EC0A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A99 second address: 4EC0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A9D second address: 4EC0AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AA1 second address: 4EC0AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AA7 second address: 4EC0AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AB6 second address: 4EC0ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0ABA second address: 4EC0AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC3C3C17FC7h 0x0000000e jmp 00007FC3513526F5h 0x00000013 test byte ptr [77816968h], 00000002h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov dh, AFh 0x0000001f mov dl, ah 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AEC second address: 4EC0B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC3C3C44A47h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC35137F197h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B16 second address: 4EC0B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B1A second address: 4EC0B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B20 second address: 4EC0B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B26 second address: 4EC0B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC35137F199h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B4C second address: 4EC0B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B52 second address: 4EC0B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B56 second address: 4EC0B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B5A second address: 4EC0BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FC35137F192h 0x0000000f popad 0x00000010 mov dword ptr [esp], ebx 0x00000013 pushad 0x00000014 mov esi, edi 0x00000016 mov si, bx 0x00000019 popad 0x0000001a push ebx 0x0000001b pushad 0x0000001c jmp 00007FC35137F18Eh 0x00000021 popad 0x00000022 mov dword ptr [esp], ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov edi, esi 0x0000002a mov ecx, 6C7B2A6Bh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BA0 second address: 4EC0BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov esi, 5084F33Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+14h] 0x00000011 jmp 00007FC3513526F2h 0x00000016 push dword ptr [ebp+10h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC3513526F7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BDF second address: 4EC0BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BE5 second address: 4EC0BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C05 second address: 4EC0C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C09 second address: 4EC0C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C0F second address: 4EC0C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FC35137F190h 0x0000000f pop ebx 0x00000010 jmp 00007FC35137F190h 0x00000015 mov esp, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C47 second address: 4EC0C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 99A9CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: A28DCE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: F6A9CF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: FF8DCE instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1520000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 8D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 4590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 3120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 2F20000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_04F40C63 rdtsc

1_2_04F40C63

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 783	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 843	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 789	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 3452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Window / User API: threadDelayed 9620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6490
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Window / User API: threadDelayed 9999
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Window / User API: threadDelayed 2175
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4949
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 743
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 734
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 701

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	Dropped PE file which has not been started: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\786A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	Dropped PE file which has not been started: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

API coverage: 3.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7564	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7564	Thread sleep time: -82041s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7548	Thread sleep count: 745 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7548	Thread sleep time: -1490745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7524	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7524	Thread sleep time: -8070000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7540	Thread sleep count: 718 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7540	Thread sleep time: -1436718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7648	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7556	Thread sleep count: 783 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7556	Thread sleep time: -1566783s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep count: 843 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep time: -1686843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7552	Thread sleep count: 789 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7552	Thread sleep time: -1578789s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep count: 3452 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep time: -6907452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 8188	Thread sleep count: 9620 > 30
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 8188	Thread sleep time: -288600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 6696	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2860	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe TID: 4016	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe TID: 2864	Thread sleep time: -59994000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3260	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe TID: 5664	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 5576	Thread sleep time: -494900s >= -30000s
Source: C:\Windows\explorer.exe TID: 4580	Thread sleep time: -74300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe TID: 2348	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\34vgn892c.exe TID: 4512	Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\34vgn892c.exe TID: 4512	Thread sleep time: -1380000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\50EC.exe TID: 7508	Thread sleep time: -30000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\ProgramData\34vgn892c.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Last function: Thread delayed
Source: C:\ProgramData\34vgn892c.exe	Last function: Thread delayed
Source: C:\ProgramData\34vgn892c.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB10008 FindFirstFileExW,		15_2_6CB10008
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006DAAD FindFirstFileExW,		18_2_0006DAAD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00975DA0 GetSystemInfo,

17_2_00975DA0

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Thread delayed: delay time: 30000
Source: C:\ProgramData\34vgn892c.exe	Thread delayed: delay time: 30000
Source: C:\ProgramData\34vgn892c.exe	Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V kwcbewswwrbpkye Bus Pipes
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorQ!
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016A0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.00000000035E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitioni
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0.exehollows_hunter32VGAuthService.exeprocexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.execalled `Option::unwrap()` on a `None` valueC:\Users\Magnu\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionq+
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.execalled `Option::unwrap()` on a `None` valueC:\Users\Magnu\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus PipesN
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: setup.exe, setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ZharkBOT.exe, 00000023.00000003.1752091611.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e9574Retrieval: Bytes served9576Discovery: Weighted average discovery time9578SMB: Bytes from cache9580SMB: Bytes from server9582BITS: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes}
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarex
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorR
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: ZharkBOT.exe, 00000023.00000003.1760923673.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1761418251.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1752850595.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1756025079.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1756297161.0000000002817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1
Source: setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionty
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ZharkBOT.exe, 00000023.00000003.1754530285.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755563652.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755254416.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1754015437.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755213622.00000000027E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumula
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: newbuild.exe, 00000021.00000002.1833633665.0000000003305000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,1169649
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000013.00000002.3737039002.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788268061.0000000003638000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitionl\|"
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: ZharkBOT.exe, 00000023.00000003.1795914074.0000000002A11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware`
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: explorer.exe, 00000022.00000000.1690337457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorH
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: ZharkBOT.exe, 00000023.00000003.1761590219.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1753483411.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1760636118.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1754102657.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1750635652.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V kwcbewswwrbpkye Bus
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor_:
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service]#
Source: BitLockerToGo.exe, 0000001F.00000003.1666459560.00000000059CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: streamer.exe, 0000000E.00000002.1635498473.000001E9A1CEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1752632375.000000000591F000.00000004.00000020.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3747272466.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1832430992.000000000164C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801728831.000000000369C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801837427.0000000003878000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792258046.0000000003888000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ZharkBOT.exe, 00000023.00000003.1756999496.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757735413.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757542291.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757481376.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count SnapshotH
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: explorer.exe, 00000022.00000000.1690337457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceF
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service%!
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: ZharkBOT.exe, 00000023.00000003.1754102657.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1753543275.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost

Source: C:\Users\user\Desktop\setup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\dcbedta	System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\dcbedta	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_04F40C63 rdtsc

1_2_04F40C63

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB0B9BA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_6CB0B9BA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0005BEA9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0005BEA9

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D8643B mov eax, dword ptr fs:[00000030h]	11_2_00D8643B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D8A1A2 mov eax, dword ptr fs:[00000030h]	11_2_00D8A1A2
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB349D0 mov eax, dword ptr fs:[00000030h]	15_2_6CB349D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 17_2_009775D0 mov eax, dword ptr fs:[00000030h]	17_2_009775D0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006A1A2 mov eax, dword ptr fs:[00000030h]	18_2_0006A1A2
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006643B mov eax, dword ptr fs:[00000030h]	18_2_0006643B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB1172D GetProcessHeap,

15_2_6CB1172D

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0B4E1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6CB0B4E1
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0B9BA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6CB0B9BA
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0F957 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6CB0F957
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004D0ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0004D0ED
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_000669BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_000669BE
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DAB5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0004DAB5
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DC1A SetUnhandledExceptionFilter,	18_2_0004DC1A

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: dcbedta.34.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 176.29.154.25 80
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80
Source: C:\Windows\explorer.exe	Network Connect: 102.187.252.37 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

15_2_6CB02F20

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Thread created: C:\Windows\explorer.exe EIP: 86E19D0
Source: C:\Users\user\AppData\Roaming\dcbedta	Thread created: unknown EIP: F519D0

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: towerxxuytwi.xyzi
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: swellfrrgwwos.xyze
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: contintnetksows.shop
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: potterryisiw.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3106008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 961000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 97C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 984000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: B97000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 7A4008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F66008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: C:\ProgramData\34vgn892c.exe	Process created: unknown unknown

Source: explorer.exe, 00000022.00000000.1684732430.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000003.1891078527.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: setup.exe, setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: MProgram Manager
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D6D2E8 cpuid

11_2_00D6D2E8

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: GetLocaleInfoA,

17_2_00975A60

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000115001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000115001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000116001\FILE1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\1.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D6CAED GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

11_2_00D6CAED

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D56590 LookupAccountNameA,

11_2_00D56590

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00975900 GetTimeZoneInformation,

17_2_00975900

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_00037CE0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

18_2_00037CE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: ZharkBOT.exe, 00000023.00000003.1801837427.0000000003803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000017.00000002.1729603408.0000000001365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 40.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Freshbuild.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.Freshbuild.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.axplong.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.axplong.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.setup.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.1918746786.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3721434800.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1558483602.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1335718111.0000000000781000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.1949201156.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1340637010.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.1931585603.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1571924265.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1591289151.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.1990646891.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1580634291.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1295247202.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.1558636048.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.crypt6.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.newbuild.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.newlogs.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypt6.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newlogs.exe PID: 6184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZharkBOT.exe PID: 2908, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.Lk

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Searches for user specific document files

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC

Yara detected Credential Stealer

Source: Yara match	File source: 0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1653312909.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1710428950.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.crypt6.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.newbuild.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.newlogs.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypt6.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newlogs.exe PID: 6184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZharkBOT.exe PID: 2908, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0005EB58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,		18_2_0005EB58
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0005DE61 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		18_2_0005DE61

Windows Analysis Report
setup.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

ID:	1465696
Product:	CloudBasic
Start time:	00:18:05
Start date:	02.07.2024
Sample:	setup.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5ad5e4f1f3126c5d6cfdbfbbe5597c84
SHA1:	47b46cbe987e0e33c9d23f4c6cc304d116e5e80f
SHA256:	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\34vgn892c.exe	PE32 executable (GUI) Intel 80386, for MS Windows	339271AF2BBDAD0395A479C3EF2A714A	4F38B94FDB7F3CC4CF9F79BBB4D4311B85F0E14B	71769EBF723749783F5E79F7B8A43D6EF03582FCA2D1D26CAD69157B73004F2B
C:\ProgramData\AAKKECFBGIIIEBGDGDAK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\AEBAFBGI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	2D903A087A0C793BDB82F6426B1E8EFB	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
C:\ProgramData\AEBAFBGIDHCBFHIECFCB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\EHCFBFBAEBKJKEBGCAEHCFCBAE	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5	9664DAA86F8917816B588C715D97BE07	FAD9771763CD861ED8F3A57004C4B371422B7761	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4DE07FA106D917B74E44BD624F3EEAEF	DACE1725097A94F1FDFAD54F0EB2A2FBEAB13A72	99F566B150282334D980BA5D41138FF81B88375CCAC6A0AD366B3DE194C63053
C:\ProgramData\GIIIIJDHJEGIECBGHIJEHIIDGD	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\HJDHCFCBGIDGHJJKJJDGHDGDHI	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	4BB4A37B8E93E9B0F5D3DF275799D45E	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
C:\ProgramData\HJJEHJJK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	9A809AD8B1FDDA60760BB6253358A1DB	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	B232A68A0B596FCE92BE1FF29276BF90	8DD98D5CEDBF5E8BE8C8D570DC7FB66136EDF723	EB7CFBA2AA1E9B00A5762141022001C6A9AA86F5578F299E823E45708D79E2AD
C:\ProgramData\IJKJDAFHJDHIEBGCFIDB	ASCII text, with very long lines (1769), with CRLF line terminators	7E44458E0A8A3A7D10875BC3B7AE72D1	E5E6AC8676EE3761DAB13A10EB7573C19F48D297	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
C:\ProgramData\JJJEGHDAECBFHJKEGIJKKJKKKF	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_crypt6.exe_cd17514591b3bc37d71eaa3f790d8eca63aa32e_82e71a1c_2df57086-53da-4793-9d55-300da09beec2\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	932A3DEE27E3833FEAD6ABD51A3CF33C	88B6C20D149091ACDA03DCFBE0DD124014C7F80D	C7309883C11664B40F0CF83AC4C1A97EA9507A9F4B46E08C17855F1E7E4F9154
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA616.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Jul 1 23:50:27 2024, 0x1205a4 type	02A38674217C6FF2F933F14A4DAA7D42	58748F8A19A8CBA2850837B019DBCFF4D31A9C29	E2D039D1A53A89056BCF709CE57FCBBC92724B3454609D263DECAD9BDA990B73
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6E2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	BB4788F304EB28634C5E4B4EEE92CFB4	4C155A200B366782BB07BBB96D080045F860010A	513E56E356557D0DBA565641ADF1B2B95205DF71039ADC72FE59AAD40761D20D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA721.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	013E2F5A7618FE7C8B04054B2E0B5170	31E0E98AB35813830348DD69FA94FC1384B44277	C66FFDE20A9FC65B2A7B17614FEB18069A4331CFC1D5E431E3FBB2471743021A
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log	ASCII text, with CRLF line terminators	2A56468A7C0F324A42EA599BF0511FAF	404B343A86EDEDF5B908D7359EB8AA957D1D4333	6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TpWWMUpe0LEV.exe.log	CSV text	3A8957C6382192B71471BD14359D0B12	71B96C965B65A051E7E7D10F61BEBD8CCBB88587	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newbuild.exe.log	ASCII text, with CRLF line terminators	3FD5C0634443FB2EF2796B9636159CB6	366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48	58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat	JSON data	0CCB0B4AB6E8E3307FCC6A6CFA34AB9B	522BA4650CA18795F9357495BB07D5E67AB183F3	FA88B5C21FF7E85D75DFB5DFC8598D09F03D0205D6C67FF1661BFB571D14181B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ZharkBOT[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	339271AF2BBDAD0395A479C3EF2A714A	4F38B94FDB7F3CC4CF9F79BBB4D4311B85F0E14B	71769EBF723749783F5E79F7B8A43D6EF03582FCA2D1D26CAD69157B73004F2B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	PE32 executable (console) Intel 80386, for MS Windows	A957DC16D684FBD7E12FC87E8EE12FEA	20C73CCFDBA13FD9B79C9E02432BE39E48E4B37D	071B6C448D2546DEA8CAED872FCA0D002F59A6B9849F0DE2A565FC74B487FA37
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0970456D2E2BCB36F49D23F5F2EEC4CE	1E427BBEB209B636371D17801B14FABFF87921BE	264DB4D677606C95912A93A457675D5EBAA24DC886DA8BBCB800FE831C540A54
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	2BC0DB539A8FAB08BF4104EB7F2DE7E7	FF4A5DEFEDB18C93EF815434B40E19B9452CA410	EC84EC11567566DB3BA9096DF164F0B7A8217D50FFAB16FA3642F8F12D759B04
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	07101CAC5B9477BA636CD8CA7B9932CB	59EA7FD9AE6DED8C1B7240A4BF9399B4EB3849F1	488385CD54D14790B03FA7C7DC997EBEA3F7B2A8499E5927EB437A3791102A77
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9AB4DE8B2F2B99F009D32AA790CD091B	A86B16EE4676850BAC14C50EE698A39454D0231E	8A254344702DC6560312A8028E08F844B16804B1FBF4C438C3CA5058D7B65EA1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	5AB7C9BADBFDAB65FBC3E519BDB81235	C1CD2290478686E4CF2909F4A0A3153D10CA562A	F49A9EAC84CBCAAC8B34D5E66E4679183E6A610EB1CDAC699E4E7151A816559F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	253CCAC8A47B80287F651987C0C779EA	11DB405849DBAA9B3759DE921835DF20FAB35BC3	262A400B339DEEA5089433709CE559D23253E23D23C07595B515755114147E2F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	242214131486132E33CEDA794D66CA1F	4CE34FD91F5C9E35B8694007B286635663EF9BF2	BAC402B5749B2DA2211DB6D2404C1C621CCD0C2E5D492EB6F973B3E2D38DD361
C:\Users\user\AppData\Local\Temp\1000030001\1.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5AB7C9BADBFDAB65FBC3E519BDB81235	C1CD2290478686E4CF2909F4A0A3153D10CA562A	F49A9EAC84CBCAAC8B34D5E66E4679183E6A610EB1CDAC699E4E7151A816559F
C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	2BC0DB539A8FAB08BF4104EB7F2DE7E7	FF4A5DEFEDB18C93EF815434B40E19B9452CA410	EC84EC11567566DB3BA9096DF164F0B7A8217D50FFAB16FA3642F8F12D759B04
C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	242214131486132E33CEDA794D66CA1F	4CE34FD91F5C9E35B8694007B286635663EF9BF2	BAC402B5749B2DA2211DB6D2404C1C621CCD0C2E5D492EB6F973B3E2D38DD361
C:\Users\user\AppData\Local\Temp\1000115001\build.exe	HTML document, ASCII text, with very long lines (13449)	C58242B221EDA3A476EDDC9910B21E12	A465856326061BC019BFE279270EFA1E25EC4E4F	FD9FB6EBDCE4471ECFE2EE2FD6A8EC70979E6A9D657C770BEB71C9EFDB07D5C2
C:\Users\user\AppData\Local\Temp\1000116001\FILE1.exe	HTML document, ASCII text, with very long lines (13449)	607338356F28E30BCA904F8083A7B2C5	DDC30111CB7CA9B455D4FA5C456739278FE795E9	490773DF270E8E889C744DC00E3D956FB57CE7FA7ADC089E609E36A823FE6A84
C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	PE32 executable (GUI) Intel 80386, for MS Windows	07101CAC5B9477BA636CD8CA7B9932CB	59EA7FD9AE6DED8C1B7240A4BF9399B4EB3849F1	488385CD54D14790B03FA7C7DC997EBEA3F7B2A8499E5927EB437A3791102A77
C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	PE32 executable (console) Intel 80386, for MS Windows	A957DC16D684FBD7E12FC87E8EE12FEA	20C73CCFDBA13FD9B79C9E02432BE39E48E4B37D	071B6C448D2546DEA8CAED872FCA0D002F59A6B9849F0DE2A565FC74B487FA37
C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0970456D2E2BCB36F49D23F5F2EEC4CE	1E427BBEB209B636371D17801B14FABFF87921BE	264DB4D677606C95912A93A457675D5EBAA24DC886DA8BBCB800FE831C540A54
C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	PE32 executable (GUI) Intel 80386, for MS Windows	253CCAC8A47B80287F651987C0C779EA	11DB405849DBAA9B3759DE921835DF20FAB35BC3	262A400B339DEEA5089433709CE559D23253E23D23C07595B515755114147E2F
C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9AB4DE8B2F2B99F009D32AA790CD091B	A86B16EE4676850BAC14C50EE698A39454D0231E	8A254344702DC6560312A8028E08F844B16804B1FBF4C438C3CA5058D7B65EA1
C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	PE32 executable (GUI) Intel 80386, for MS Windows	339271AF2BBDAD0395A479C3EF2A714A	4F38B94FDB7F3CC4CF9F79BBB4D4311B85F0E14B	71769EBF723749783F5E79F7B8A43D6EF03582FCA2D1D26CAD69157B73004F2B
C:\Users\user\AppData\Local\Temp\50EC.exe	PE32 executable (GUI) Intel 80386, for MS Windows	BD2EAC64CBDED877608468D86786594A	778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91	CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
C:\Users\user\AppData\Local\Temp\786A.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	60172CA946DE57C3529E9F05CC502870	DE8F59D6973A5811BB10A9A4410801FA63BC8B56	42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5AD5E4F1F3126C5D6CFDBFBBE5597C84	47B46CBE987E0E33C9D23F4C6CC304D116E5E80F	E5170B080959816E3A0911125D5DE97BD4DE77574B091646A681D65CB5BC04E0
C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	PE32 executable (GUI) Intel 80386, for MS Windows	07101CAC5B9477BA636CD8CA7B9932CB	59EA7FD9AE6DED8C1B7240A4BF9399B4EB3849F1	488385CD54D14790B03FA7C7DC997EBEA3F7B2A8499E5927EB437A3791102A77
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\d3d9.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8FA26F1E37D3FF7F736FC93D520BC8AB	AD532E1CB4A1B3CD82C7A85647F8F6DD99833BB1	6C47DA8FBD12F22D7272FBF223E054BF5093C0922D0E8FB7D6289A5913C2E45D
C:\Users\user\AppData\Roaming\dcbedta	PE32 executable (GUI) Intel 80386, for MS Windows	5AB7C9BADBFDAB65FBC3E519BDB81235	C1CD2290478686E4CF2909F4A0A3153D10CA562A	F49A9EAC84CBCAAC8B34D5E66E4679183E6A610EB1CDAC699E4E7151A816559F
C:\Windows\Tasks\Hkbsse.job	data	F78C1CD25C8504EFE890BB196FA9CD41	070D236EE052119FB82FB941534781B2AB0B19E8	3E7CDF126E8755D222F663AE29380BBF425BDB497537BDDE270A40152DF00008
C:\Windows\Tasks\axplong.job	data	B3252C897220F5415281719460C7003C	FB9438C4F4A17493E34FFA417A47137C1DE29771	6BBC017BE7E25E64703CAE9D521F93ADCC5FAAC84FEA3B1B7A45C8FF59F6FFE1
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5203A346ACCF64BD4FBAAAD883466682	10F5C9A5C967742583F82317D8B664B6C93A7D75	7E2D75806CB6704E6EA7872CD204DDD037B8471AEAB49158688B7EEA3C37736C

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
setup.exe

Malware Threat Intel
Provided by